Mhot: Height-Optimized Authenticated Data Structure
for Blockchain State Commitment

Sipeng Xie, Qianhong Wu¹¹footnotemark: 1, Minghang Li¹¹footnotemark: 1, Qiyuan Gao¹¹footnotemark: 1, Bo Qin, Qin Wang Beihang UniversityRenmin University of China (🖂)Independent

Abstract

State root computation dominates (~78%) blockchain block processing time. Ethereum’s canonical authenticated data structure, i.e., Merkle Patricia Trie (MPT), suffers from severe tree-height growth and is vulnerable to Nurgle attacks (S&P’24), where adversaries inflate path depth via hash collisions and degrade system performance at negligible cost. Existing defenses increase node fanout (span) to bound tree height, but higher span inflates proof size exponentially. Prior work mitigates this trade-off using vector commitments, at the cost of trusted setup or expensive verification.

We present Mhot, a height-optimal authenticated data structure for blockchain state commitment that preserves standard hash-based verification without trusted setup. Unlike MPT’s fixed-prefix indexing, which couples span and fanout exponentially, Mhot indexes by discriminative bits that actually distinguish keys, achieving adaptive span with linear fanout coupling and provably minimal height. To prevent high fanout from inflating proofs, we introduce hierarchical proofs, a two-layer Merkle construction that reduces per-node proof overhead from $O(k)$ to $O(\log k)$ .

On Ethereum mainnet workloads, Mhot achieves up to 9 $\times$ higher write throughput, 4 $\times$ lower write amplification, and 2 $\times$ smaller proofs than MPT. Under Nurgle attacks, even when the adversary consumes an entire block’s gas budget, Mhot maintains a 0% attack success rate (v.s., 99.97% for MPT). Our results, somewhat surprisingly, show that height optimality (not new crypto primitives!) is the key abstraction for scalable and attack-resilient blockchain state commitment.

^†^†footnotetext: Accepted by USENIX Security 2026

1 Introduction

State root computation consumes 70–80% of total block processing time in modern blockchain systems [chainkv, lmpts, letus, nurgle, lvmt]. Every block must commit to a cryptographic digest of the entire state so that light clients can verify query results without trusting full nodes. This authenticated commitment step, not transaction execution, has become the binding constraint on end-to-end block throughput and confirmation latency.

Execution-layer optimizations reduced the cost of everything except commitment. Transaction-level parallelism [occda, blockstm, schain, parallelevm], instruction-level acceleration [forerunner, seer, mtpu, dtvm, superinstruction], and decoupled state storage architectures [chainkv, blocklsm, letus, splitDB, solsDB, erigon, reth] all improve execution throughput but cannot amortize the cost of updating the authenticated data structure (ADS), because commitment requires rehashing dependent node paths. Modern execution clients such as Erigon and Reth accordingly treat the ADS as a dedicated commitment engine [erigon, reth], making its write throughput the primary bottleneck.

Table 1: Comparison of ADS approaches for uniformly random 256-bit keys (e.g., Keccak-256 derived storage keys in Ethereum).

Approach	Crypto Primitive	Optimization	Height	Nurgle Resistance	Range Proof for Trie Key
MPT [ethereum]	Standard Hash	Baseline	$\leq\max(64,O(\log_{16}N))$	✗ (low span)	✓ [ $O(m+\log_{16}N)$ ]
RainBlock [rainblock]	Standard Hash	Storage (DSM-Tree)	$\leq\max(64,O(\log_{16}N))$	✗ (low span)	✓ [ $O(m+\log_{16}N)$ ]
LMPTs [lmpts]	Standard Hash	Storage (Mem/Disk Layering)	$\leq\max(64,O(\log_{16}N))$	✗ (low span)	✓ [ $O(m+\log_{16}N)$ ]
Prefix MPT [chainkv]	Standard Hash	Storage (Sequential Locality)	$\leq\max(64,O(\log_{16}N))$	✗ (low span)	✓ [ $O(m+\log_{16}N)$ ]
DMM-Trie [letus]	Standard Hash	Storage (Delta-encoded)	$\leq\max(64,O(\log_{16}N))$	✗ (low span)	✓ [ $O(m+\log_{16}N)$ ]
Unified Binary [binary]	Standard Hash	SNARK-Friendly (Binary)	$\leq\max(256,O(\log_{2}N))$	✗ (low span)	✓ [ $O(m+\log_{2}N)$ ]
LVMT [lvmt]	Vector Comm.	VC-based (High-span + HMT)	$\leq\max(16,O(\log_{65536}N))+O(\log_{2}(\text{Epoch}\times\Delta))$	✓ (high span)	Not Native
Verkle Trie [verkle]	Vector Comm.	VC-based (High-span + stem)	$\leq\max(32,O(\log_{256}N))$	✓ (high span)	Not Native
Mhot	Standard Hash	Cross-layer (Adaptive Span + Bit-indexing + SIMD)	$\boldsymbol{\leq\max(\lceil\frac{256}{k-1}\rceil,O(\log_{k}N))}$	✓ (adaptive span)	✓ [ $O(m+\log_{k}N)$ ]

Limitations of current approaches (Table 1). The Merkle Patricia Trie (MPT), Ethereum’s canonical authenticated state structure [ethereum], stores state in a Merkle-authenticated key-value trie. Lookups and updates follow the hexadecimal digits of a key from the root to a leaf, so each update rehashes every node on that path. As Ethereum’s state has grown, average path depth has reached 8 to 11 levels [chainkv]; the Nurgle attack [nurgle] exploits the same prefix structure by choosing keys with long common prefixes and pushing selected paths toward the worst case. Partitioning, checkpointing, and in-memory upper-level caching, as in Chainspace [chainspace], RainBlock [rainblock], and LMPTs [lmpts], improve scalability and average-case latency, but they preserve prefix-based traversal and leave worst-case height and Nurgle resistance unresolved.

Unfortunately, the limitation is structural.

In a prefix-based trie, each tree level consumes a fixed number of contiguous key bits. We call this per-level bit-width the span ( $s$ ). A node that consumes $s$ bits must provide a child slot for every possible $s$ -bit pattern; we call this number of child slots the fanout. In a prefix-based trie, $\text{fanout}=2^{\text{span}}$ , so the two quantities are coupled exponentially.

The apparent defense against adversarially shared prefixes is to increase the span so that each level consumes more key bits. However, large span inflates both node size and membership proofs, which must include sibling hashes at every level. For example, bounding the worst-case depth to at most 10 for 256-bit keys requires $s\geq 26$ , resulting in roughly 67 million child slots per node. This span–proof trade-off implies that no prefix-based scheme can simultaneously guarantee bounded worst-case height and compact membership proofs.

Vector-commitment alternatives (e.g., Verkle tries [verkle], LVMT [lvmt]) avoid this trade-off by algebraically decoupling proof size from fanout. However, both rely on trusted setup ceremonies and pairing-based elliptic-curve commitments, introducing trust assumptions and higher arithmetic costs that hash-based schemes do not require. Moreover, neither provides native support for range proofs, which are essential for verified state synchronization.

Our approach: height optimality without cryptography. The key observation behind our approach is that prefix indexing causes the span–proof trade-off. This observation motivates our use of Height-Optimized Tries (HOT) [hot] as the structural foundation.

HOT branches on discriminative bits rather than on fixed prefixes. A discriminative bit is a bit position where at least two keys in the current subtree differ. Prefix-based indexing consumes bits at fixed positions regardless of whether they distinguish any keys; discriminative-bit indexing consumes a bit only where keys actually diverge. This difference lets HOT achieve provably minimal height among radix tries for any given key set. Discriminative-bit indexing couples span and fanout linearly, since a compound node with fanout $k$ consumes up to $k-1$ discriminative bits, compared to the $\log_{2}k$ contiguous bits resolved by a prefix-based node of the same fanout. This linear coupling gives compound nodes enough span to absorb adversarial insertions without immediate depth growth. When restructuring is needed, HOT’s structure-adapting insertion algorithm places the new key to preserve the height-optimized invariant. These properties prevent long shared prefixes from directly turning into long root-to-leaf paths.

Mhot inherits HOT’s wide compound nodes, but this may create a new authentication cost. A direct hash-based proof for a child would include all $k-1$ sibling hashes inside the compound node, so proof size grows linearly with fanout and, in Mhot, with span. We address this with hierarchical proof, a two-layer Merkle architecture where each compound node maintains an internal Merkle tree over its children. Proving membership of a child then requires only $O(\log k)$ sibling hashes from this internal tree. Thus, proof size grows only logarithmically with Mhot’s fanout and, due to HOT’s linear span–fanout coupling, only logarithmically with its realized span. This is different from a prefix-indexed trie: because its fanout grows as $2^{span}$ , the same internal Merkle tree would still leave proof size linear in span.

Another challenge is that HOT was originally designed for in-memory indexing and does not support persistence or authentication [hot]. The original work explicitly identifies disk-based deployment as an open challenge, since discriminative-bit tracking breaks the prefix locality relied upon by traditional persistent tries. Adapting HOT to Mhot therefore requires preserving its structural invariants while adding content-addressable persistence and cryptographically binding state roots. The search and insertion logic must remain intact, and membership, multipoint, and range proofs must be generated and verified against those roots.

We resolve these limitations in Mhot by making HOT-style nodes content-addressable, so node identifiers and state roots follow deterministically from the trie structure. This design makes Mhot persistent and cryptographically binding, while a parallel height-stratified commit pipeline and an LSM-tree-friendly layout control commitment and storage costs.

Our contribution. We present Mhot, an instantiation of HOT that supports both persistence and authenticated commitment, composing naturally with content-addressable, copy-on-write storage backends. Beyond throughput, Mhot’s compound node design provides structural resistance to Nurgle attacks. Even when an adversary controls an entire block’s gas budget, prefix collisions are absorbed through internal restructuring without propagating depth increases.

Evaluation under Ethereum mainnet workloads shows Mhot achieves up to 9 $\times$ higher write throughput and 4 $\times$ lower write amplification than MPT-based implementations, with 2 $\times$ smaller proofs. Under Nurgle attack conditions, Mhot exhibits a 0% attack success rate, in contrast to the 99.97% success rate observed for MPT.

In short, we make the following contributions:

•

We identify span-proof coupling as the structural reason prefix-based authenticated tries cannot easily combine low worst-case height with compact proofs. Mhot avoids this coupling through HOT’s linear span-fanout relation and therefore uses only standard hash commitments rather than relying on vector commitments.
•

We adapt HOT to blockchain state commitment, presenting Mhot as a height-optimized ADS that resists adversarial key distributions through discriminative-bit tracking and high-fanout compound nodes.
•

We design hierarchical proofs, a two-layer Merkle construction that reduces per-node proof overhead from $O(k)$ to $O(\log k)$ , breaking the linear dependence of proof size on span.
•

We resolve the open problem identified in the original HOT work [hot] on disk-based deployment through content-addressable indexing, a parallel height-stratified commit pipeline, and an LSM-tree-friendly layout for persistent keys.
•

We benchmark Mhot against MPT, RainBlock, and LVMT under Ethereum mainnet workloads, demonstrating up to 9 $\times$ higher throughput and 2 $\times$ smaller proofs.

2 Why Existing Solutions Fail

Each ADS existing approach (Table 1) sacrifices at least one of listed properties: acceptable worst-case height, Nurgle resistance, transparent setup, or native range proofs. The root cause is prefix-based indexing. We dig into it.

2.1 The MPT Limitation

Ethereum stores its state in a Merkle Patricia Trie (MPT). To locate a value, the trie reads the key one hex digit at a time and follows the matching child pointer downward. When two keys share a prefix, they ride the same path until their digits diverge, at which point the trie forks. Branches that only a single key traverses are not kept as individual levels. Instead, the whole stretch is compressed into one node that remembers the shared prefix. Values sit at the leaves. Formally, the forking nodes are branch nodes, the compressed stretches are extension nodes, and the value-bearing endpoints are leaf nodes. This design, a Patricia-compressed radix trie, strips out unary chains but preserves the fixed-prefix indexing rule. Every update walks a root-to-leaf path, so changing any entry recomputes hashes along that whole path.

Ethereum implements this trie with content-addressed, copy-on-write nodes. Each materialized node is identified by the hash of its serialized content. Modifying a key-value pair creates a new leaf representation and recomputes hashes along the path from that leaf to the root (Figure 1). For a realized path of depth $d$ , one state modification requires $O(d)$ hash computations and $O(d)$ node writes or lookups. Measurements show that average MPT depth on Ethereum mainnet has grown from 8 to 11 levels as state size increases. A single block now triggers over 8,700 disk I/O operations [chainkv].

This depth-dependent performance creates a denial-of-service (DoS) vector. The Nurgle attack [nurgle] exploits the MPT’s prefix-based indexing and Patricia compression to deepen realized trie paths. Attackers search for keys whose hashed trie indices share long prefixes with existing keys. Because the MPT routes keys by prefix, these keys traverse the same trie region before diverging. When such a key is inserted into a region where Patricia compression has collapsed a long shared prefix into one extension node, the insertion forces that node to split. A compressed path is materialized into additional branch and extension nodes, increasing the realized root-to-leaf depth by 1–2 levels per insertion. Later accesses to the affected keys require more node traversals, hash verifications, and disk lookups. Because Ethereum’s gas pricing charges per opcode rather than per node traversed [nurgle], the attacker pays almost nothing while validators absorb the I/O cost of the deepened paths. Current mitigations, including historical data pruning [eip4444] and gas repricing [eip4762], address symptoms rather than the structural root cause.

2.2 The Span–Proof Trade-off

Storage and system-level mitigations. Several approaches reduce authenticated-state cost without changing the local indexing rule. RainBlock [rainblock] decouples storage from consensus through sharded in-memory state. LMPTs [lmpts] keep recent-update tries in memory and store larger snapshot tries on disk. Chainspace [chainspace] splits smart-contract state across shards, builds commitments for shard-local state and history, and certifies those commitments through shard-level quorum signatures. ChainKV [chainkv] exploits sequential key locality through prefix-based storage. Letus [letus] uses delta-encoded state representation.

These mitigations improve normal-case performance and can reduce the short-term cost of adversarial accesses, but they do not remove the local depth mechanism exploited by Nurgle [nurgle]. If a shard, checkpoint, or cache-backed component still uses a fixed-prefix trie, an adversary can target keys whose distinguishing prefixes fall below the cached or partitioned boundary. The attack surface narrows or shifts, but the local tree still routes by fixed prefixes.

With a fixed 16-ary branching factor, each node consumes 4 prefix bits per level, so 256-bit keys have worst-case depth 64. Storage and system-level mitigations therefore complement, rather than replace, a local authenticated structure whose height resists adversarial prefix construction.

The exponential coupling. Prefix-based indexing couples span and fanout exponentially (§1), making high-span nodes intractable. The exponential blowup extends to proofs and commitment computation. A naive membership proof must include all sibling hashes at each tree level, yielding $O(d\cdot 2^{s})$ hash values in the proof. Hierarchical hashing reduces this to $O(d\cdot s)$ hashes, but each node still requires $O(2^{s})$ hash computations during commitment. Prefix-based indexing thus forces a choice: low depth with impractically large fanout, or practical node sizes with deep trees vulnerable to attack.

Refer to caption — Figure 1: Cross-block node sharing in MPT under copy-on-write semantics. When accounts are modified, only affected paths change. Unchanged subtrees remain shared. Such append-only structure requires $O(d)$ writes per modification, where $d$ is the path length from leaf to root.

Cryptographic approaches. Vector-commitment schemes sidestep this trade-off by decoupling proof size from fanout through algebraic techniques. Verkle trees [verkle] use inner-product arguments to achieve $O(1)$ proof size per node with 256-ary fanout. LVMT [lvmt] extends this principle to $2^{16}$ -ary nodes via KZG polynomial commitments [kzg], achieving $O(1)$ updates through version-value separation.

Both Verkle trees and LVMT require trusted setup ceremonies whose compromise would enable proof forgery. Their pairing-based verification also imposes higher costs on resource-constrained light clients than standard hashing does. LVMT inherits the Authenticated Multipoint Evaluation Tree’s in-place update model and thus cannot support historical state queries [lvmt, amt]. Neither natively supports range proofs, proofs that all keys within a specified interval satisfy certain properties, a capability essential for state synchronization protocols.

Prefix-based indexing is the shared root cause of both camps’ limitations. Storage-layer optimizations preserve transparency and range proofs but inherit Nurgle vulnerability because their low span cannot absorb adversarial insertions. Cryptographic solutions achieve Nurgle resistance through high span but sacrifice transparency and range proofs. Achieving attack-resistant depth without these trade-offs requires an indexing paradigm that decouples span from fanout.

3 Key Primitives

3.1 Authenticated Data Structures

An authenticated data structure (ADS) allows an untrusted prover to certify data-operation correctness without requiring the verifier to possess the entire dataset [ads]. Formally, an ADS provides three core primitives.

$\bullet$

Commit. Given a dataset $D$ , produce a short cryptographic digest $C$ that binds to $D$ . In blockchain terminology, $C$ corresponds to the state root stored in block headers.
$\bullet$

Prove. Given a query $q$ and its result $a$ , generate a proof $\pi$ demonstrating that $a$ is the correct answer for $q$ under the committed dataset.
$\bullet$

Verify. Given the commitment $C$ , query $q$ , claimed result $a$ , and proof $\pi$ , compute $\texttt{Verify}(C,q,a,\pi)\in\{0,1\}$ to determine whether $a$ is authentic.

A secure ADS has two properties. Computational binding makes proof forgery computationally infeasible. Succinctness bounds proof size $|\pi|$ and verification time to $O(\log|D|)$ , with some constructions achieving $O(1)$ for both [verkle, kzg].

Consensus protocols agree only on block headers containing the state root, not the full state. Blockchains therefore rely on ADS to make these compact commitments verifiable, enabling light clients to verify query responses against the block header rather than trusting RPC providers.

Modern execution clients (e.g., Erigon [erigon], Reth [reth]) decouple plain state storage from ADS. The underlying database handles execution-layer I/O directly, while the client propagates state updates to ADS for commitment maintenance. Under this architecture, the ADS functions as a dedicated commitment engine. Its primary performance metric is write throughput, measured as batch updates committed per second.

3.2 Height-Optimized Trie

HOT [hot] breaks exponential coupling (§2.2) by branching on discriminative bits rather than contiguous prefixes. Given a set of keys $K$ within a subtree, a bit position $i$ is discriminative if at least two keys in $K$ differ at that position. The discriminative bit positions of $K$ are

D(K)=\{\,i\mid\exists\,k_{a},k_{b}\in K,\;\mathrm{bit}_{i}(k_{a})\neq\mathrm{bit}_{i}(k_{b})\,\}.

Prefix-based indexing, in contrast, consumes a fixed block of contiguous bits at each level regardless of whether those bits distinguish any keys.

Discriminative-bit indexing couples span and fanout linearly. A compound node with fanout $k$ consumes up to $k-1$ discriminative bits at arbitrary positions. A prefix-based node with the same fanout resolves only $\log_{2}k$ contiguous bits per level, requiring far more levels to cover the full key. Concretely, a compound node with $k=27$ entries consumes up to 26 discriminative bits, well within practical limits.

Compound nodes aggregate multiple binary decisions into a single node containing up to $k$ entries, where $k=32$ is typical. Each compound node stores three components. The extraction mask identifies discriminative bit positions within this node’s scope. The sparse partial keys record only the discriminative bits for each entry. The entry data holds either a child pointer or a leaf value.

The result is adaptive span. In dense key regions, a node covers few bit positions with many entries; in sparse regions, a node spans many positions with few entries. Tree height adapts to actual key distribution rather than following fixed prefix widths. For any key set and fanout parameter $k$ , HOT achieves provably minimal height among radix tries [hot]. For uniformly random 256-bit keys with $k=32$ , this yields a theoretical minimum depth of $\lceil 256/31\rceil=9$ levels, nearly $6\times$ fewer than the 52 levels required by a prefix-based trie with the same fanout ( $\log_{2}32=5$ bits per level).

Earlier work measures path length in depth, while HOT uses height following [hot]; both count compound-node hops from root to leaf. HOT defines the height of an internal node $n$ as $h(n)=\max_{i}h(c_{i})+1$ , and $h(n)=0$ for leaves. Unequal child heights create height gaps, which allow new nodes to be absorbed without increasing the global tree height.

HOT preserves height optimality via four insertion modes (Figure 2) that adapt the structure based on node height relations [hot]. Only Parent Pull-Up increases global height, while Normal Insert, Leaf Pushdown, and Intermediate Node Creation perform local restructuring that may lengthen individual paths. §6.6 examines whether such local path increases can be exploited for Nurgle-style attacks.

Binna et al. [hot] prove that HOT’s dynamic construction produces the same structure as Static Minimum Height Partitioning (SMHP) [smhp] of the underlying binary Patricia trie. This equivalence guarantees that HOT minimizes compound nodes on any root-to-leaf path.

Structural determinism means that a given key set produces an identical trie structure regardless of insertion order. HOT inherits this property from its underlying Patricia trie representation, since both the Patricia trie and SMHP partitioning are uniquely determined by the key set [hot].

These properties establish HOT as the structural basis for blockchain state commitment, but the original design operates in memory and provides no persistence or authentication.

4 Persistent Authentication for HOT

Mhot extends HOT with persistent authentication, enabling their use as a blockchain state commitment engine. We introduce a set of orthogonal extensions that build on top of HOT’s core algorithms without modifying them.

We first outline requirements in §4.1. We then present key components: We introduce content-addressable persistence to provide deterministic node identifiers while inheriting cryptographic authentication (§4.2). We design a two-layer Merkle construction that reduces per-node proof overhead from $O(k)$ to $O(\log k)$ (§4.3). We develop a batched commit pipeline that defers and parallelizes hash computation, eliminating redundant work when insertions share ancestors (§4.4). We apply storage-layer optimizations that exploit HOT’s structural properties to improve disk I/O efficiency (§4.5).

4.1 Design Requirements

A blockchain authenticated data structure must satisfy five requirements. Short commit paths reduce the computation per update, directly affecting block execution time. Structural determinism guarantees that identical key sets produce identical tree structures, a prerequisite for validators to agree on state roots. Trust minimization avoids trusted third parties, restricting security assumptions to cryptography alone. Memory efficiency reduces disk I/O by caching frequently accessed state in memory. Attack resistance prevents adversaries from exploiting structural flaws to extend storage paths and exhaust client I/O [eip3102, eip6800, ethereum, eip1186, eip2929, eip150, nurgle].

Short commit paths and structural determinism follow from HOT’s height optimality and greedy partitioning, while memory efficiency derives from adaptive linearized node layout and SIMD-accelerated operations; we validate attack resistance empirically (§6). Two design challenges remain. First, the original HOT’s page-based node identifiers are machine-dependent and carry no cryptographic meaning; content-addressable indexing (§4.2) resolves this by deriving each identifier from the hash of its content, satisfying trust minimization without a trusted setup. Second, embedding authentication in high-fanout compound nodes risks inflating proof size; our authentication mechanism targets logarithmic overhead to keep proofs practical (§4.3).

4.2 Content-Addressable Persistence

Indexing HOT nodes demands a custom strategy; approaches that work for conventional tries fail for HOT’s compound-node structure. We consider and reject two naive alternatives before arriving at our solution.

Traditional radix tries index nodes by path prefix, but HOT’s compound nodes track only discriminative bits without recording complete prefixes, so prefix-based indexing does not apply. One might instead use accumulated discriminative bits as identifiers; however, HOT’s insertion algorithm dynamically adjusts which bits are discriminative, causing cascading identifier updates across affected subtrees.

We design Mhot around content-addressable indexing, where each node’s database key equals the hash of its serialized content. This scheme exploits HOT’s structural determinism (§3.2), which guarantees that identical key sets yield identical tree structures. A node’s content depends uniquely on the keys it covers, since extraction masks, sparse partial keys, and child references are all determined by those keys; identical logical nodes therefore produce identical hashes regardless of creation time, so all validators derive the same identifiers for the same state. Hash-based indexing also requires no trusted setup, satisfying the trust minimization requirement.

Like MPT [ethereum], content-addressable storage inherits copy-on-write semantics (see Figure 1), where modifying any node invalidates its hash and all ancestor references. This approach expands child references from the original 4–8-byte pointers to 40-byte identifiers (Figure 3), adding up to ${\sim}1$ KB per fully-populated node at $k=32$ . We accept this overhead because uniform, fixed-format references simplify serialization and eliminate branching in traversal code.

Mhot fixes the key length at 256 bits to match the output of Keccak-256 used for Ethereum’s storage key derivation. As a result, extraction masks and sparse partial keys have fixed maximum sizes and are stored in fixed-length fields, while only the child reference array grows dynamically with the number of entries. This layout enables simple, single-pass serialization. Figure 3 illustrates the node structure.

4.3 Hierarchical Proof

Each compound node embeds $k$ child hashes, so proof size grows linearly with fanout. A naive inclusion proof must contain all $k-1$ sibling hashes at each level so the verifier can reconstruct parent hashes up to the root, yielding $O(h\cdot k)$ hashes per proof. With 32-byte Keccak-256 hashes, this totals $h(k{-}1)\cdot 32\approx 5$ KB for typical parameters ( $k=32$ , $h=5$ ).

We address this using a two-layer Merkle architecture that trades additional commitment-time computation for compact proofs. Each compound node computes a Children Merkle Root (CMR), a binary Merkle root over its $k$ child hashes. Membership proofs then include only $O(\log k)$ binary Merkle siblings per node, instead of all $k-1$ child hashes, reducing per-node overhead from $O(k)$ to $O(\log k)$ . For $k=32$ , this yields roughly a $6\times$ reduction in hash overhead. In practice, single-point proofs are about 1.1–1.4 KB, compared to 2.3–2.9 KB for MPT (§6).

We adopt binary Merkle trees to preserve standard hash-based verification without trusted setup. Although each CMR incurs $O(k)$ hashing cost at commit time, this overhead is absorbed by the batched commit pipeline (§4.4). §5.1 formalizes the construction and extends it to compact multiproofs.

4.4 Batch Commit Pipeline

Each insertion rehashes the entire root-to-leaf path. When multiple insertions share ancestors, naive processing repeatedly rehashes the same dirty nodes, i.e., nodes modified since the last commit. We eliminate this redundancy by proposing three optimizations as below.

Deferred hashing. We defer hashing until block commit using mixed child references. Each reference stores a type tag distinguishing finalized hashes from temporary IDs. During insertion, dirty nodes receive temporary IDs and enter a pending map. Parents reference these temporary IDs rather than hashes, deferring computation until commit.

Copy-on-write occurs at most once per node per block. Once a node enters the pending map with a temporary ID, subsequent traversals update it in place rather than cloning. When an insertion first modifies a finalized node, we clone it into the pending map (Algorithm 1, lines 11–12); subsequent insertions that traverse the same node find a temporary reference and update it in place without cloning (line 9). The resulting memory overhead is $O(h)$ pending nodes per insertion, where $h$ is tree height.

Algorithm 1 Insert with Deferred Hashing

1:key

K

, value

v

, tree

T

, pending map

P

2:A temporary ID referencing the updated root

P[\textsc{Alloc}()]\leftarrow(\textsc{Leaf}(K,v),0)

;

\mathit{cid}\leftarrow

allocated ID

\mathit{path}\leftarrow\langle\rangle

;

r\leftarrow T.\mathit{root}

5:while

r

is internal do

n\leftarrow\textsc{Get}(r)

;

s\leftarrow\textsc{Slot}(n,K)

\triangleright

extract discriminative bits, match partial keys

\mathit{path}.\textsc{Push}((n,s,r))

;

r\leftarrow n.\mathit{ch}[s]

8:end while

9:for all

(n,s,r)\in\mathit{path}

in reverse do

10: if

r.\mathit{tag}=\textsc{Temp}

then

\triangleright

P

: update in place

11:

P[r.\mathit{id}].n.\mathit{ch}[s]\leftarrow\mathit{cid}

;

\mathit{cid}\leftarrow r.\mathit{id}

12: else

\triangleright

finalized: clone once

13:

n^{\prime}\leftarrow\textsc{Clone}(n)

;

n^{\prime}.\mathit{ch}[s]\leftarrow\mathit{cid}

14:

P[\textsc{Alloc}()]\leftarrow(n^{\prime},n^{\prime}.\mathit{ht})

;

\mathit{cid}\leftarrow

allocated ID

15: end if

16:end for

17:return

\mathit{cid}

Height-stratified batch commit. At block boundaries, we finalize all pending nodes in one batched traversal (cf. Algorithm 2). Correct ordering requires processing children before parents. HOT derives this order from each node’s height (recall §3.2); since children have strictly lower heights, ascending height order satisfies the dependency. We group nodes by height and process from leaves upward, replacing temporary references with finalized hashes at each level.

Parallel execution. Nodes at the same height share no data dependencies, allowing concurrent hash computation within each level. Processing advances to the next height only after synchronizing all hashes at the current height. Correctness follows because temporary references always point to children at strictly lower heights, so each level reads only from entries that prior levels finalized in $F$ (cf. Algorithm 2).

Because HOT records node height as a built-in property, Mhot can use height directly to schedule commit. Nodes at the same height have no Merkle dependencies on one another, so they can be hashed in parallel with one barrier between levels, without fine-grained synchronization or uneven subtree splits. The same height grouping aligns with the storage layout in §4.5, allowing finalized nodes to be flushed in locality-preserving batches. MPT-style tries do not expose this height order directly, so recovering such a schedule requires extra bookkeeping [geth-parallel-node-fetching].

Algorithm 2 Height-Stratified Batch Commit

1:pending map

P

: ID

\to

(node, height), version

v

2:Root reference

(v,\mathit{hash})

F\leftarrow\emptyset

\triangleright

temp ID

\to

finalized ref

4:for

h\leftarrow 0

\max(P.\mathit{heights})

5: for all

(\mathit{id},n)\in P

at height

h

do in parallel

6: for all

c

n.\mathit{ch}

7: if

c.\mathit{tag}=\textsc{Temp}

then

c\leftarrow F[c.\mathit{id}]

8: end if

9: end for

10:

F[\mathit{id}]\leftarrow(v,\textsc{Hash}(\textsc{Ser}(n)))

11: end for

12:end for

13:return

F[\mathit{root\_id}]

4.5 Storage Optimizations

Embedding hashes enlarges node footprint; three techniques mitigate this overhead.

Metadata compression. We serialize only populated fields. The extraction mask stores positions of set bits rather than a full 256-bit vector; sparse partial keys use adaptive bit widths. All fields concatenate without internal pointers, so serialization completes in a single pass.

Write ordering. We batch writes across multiple blocks. Each block computes its state root immediately, but nodes accumulate in memory until a configurable flush threshold triggers a single batch write. Each database key consists of a 64-bit prefix followed by the 256-bit content hash, totaling 40 bytes. The prefix encodes a 1-bit type flag distinguishing leaves from internal nodes, a 55-bit version number recording the block of creation, and an 8-bit height value. Version-prefixed ordering groups nodes by creation block, while the height suffix clusters same-height nodes within each block. This layout aligns with Mhot’s height-stratified commit and enables sequential batch reads during traversal. Sorting keys before writing yields locality that LSM-tree storage engines exploit for efficient ingestion [chainkv, lsmtree].

Asynchronous persistence. We decouple state root computation from disk I/O by delegating writes to a background thread, avoiding stalls during block execution. When multiple batches complete before a flush finishes, pending writes coalesce into a single disk operation, amortizing fsync overhead. The underlying LSM-tree engine’s write-ahead log ensures durability; committed data remains recoverable even if a crash precedes the next flush.

The next section formalizes Mhot’s proof mechanisms (§5), followed by performance evaluation (§6).

5 Proof Mechanisms

Mhot supports four proof types within a unified framework: single-point membership and non-membership proofs, multi-point membership proofs, lower bound proofs, and range proofs. This section formalizes each mechanism with proof sketches; Appendix B gives the full game-based security proofs.

5.1 Two-Layer Merkle Architecture

The naive approach of including all children’s hashes directly in each proof node yields proof sizes of $O(h\cdot k)$ , where $h$ is tree height and $k$ is fanout. For typical parameters ( $k=32$ , $n=10^{8}$ ), this produces approximately 5KB per proof—unacceptable for bandwidth-constrained applications.

Mhot addresses this through a two-layer Merkle architecture. The inter-node layer maintains the tree structure connecting compound nodes. The intra-node layer introduces a Merkle tree [merkle] over children within each compound node, enabling logarithmic-size proofs for child membership.

Definition 1 (Children Merkle Root).

For a compound node $N$ with children $C=(c_{0},\ldots,c_{|N|-1})$ , the children Merkle root is defined as:

\mathrm{CMR}(N)=\mathrm{MerkleRoot}(H(c_{0}),H(c_{1}),\ldots,H(c_{|N|-1}))

(1)

where the Merkle tree is padded to the next power of 2 using a canonical zero hash.

Definition 2 (Node Content Hash).

The node content hash of a compound node $N$ incorporates all structural information:

H_{\text{content}}(N)=H(M\parallel S\parallel\mathrm{CMR}(N)\parallel L)

(2)

where $M$ denotes extraction masks (32 bytes), $S$ denotes sparse partial keys ( $|N|\times 4$ bytes), and $L$ denotes child leaf counts ( $|N|\times 4$ bytes).

This architecture reduces per-node overhead from $O(k)$ to $O(\log k)$ hashes.

Definition 3 (Node Proof Entry).

For a compound node $N$ and child index set $J\subseteq[0,|N|)$ with $t=|J|$ :

\mathrm{NPE}(N,J)=\bigl(\,J,\;M,\;S,\;L,\;\eta,\;v,\;\underbrace{\Pi_{J}^{\mathrm{CMR}}}_{\text{intra-node proof}}\,\bigr)

(3)

where $\Pi_{J}^{\mathrm{CMR}}$ is a compact Merkle multiproof for children $\{c_{j}:j\in J\}$ within $\mathrm{CMR}(N)$ , requiring $O(t\cdot(\log k-\log t))$ sibling hashes [merkle-multiproof]. When $t=1$ , this reduces to a standard Merkle proof with $O(\log k)$ siblings.

All proof types discussed in the following embed $\Pi_{J}^{\mathrm{CMR}}$ within each node entry, ensuring proof size scales with $O(\log k)$ rather than $O(k)$ per node.

5.2 Single-Point Proofs

Mhot’s single-point proofs rely on the fact that HOT search constitutes an optimistic search. Unlike traditional Patricia tries where searching for a non-existent key may fail mid-traversal, HOT’s sparse matching semantics guarantee that search always reaches some leaf—though this leaf may differ from the query key. The search only matches discriminative bits at each node; the reached leaf shares all discriminative bit values with the query but is not guaranteed to be lexicographically adjacent. A final comparison between the reached leaf and the query key determines membership.

Lemma 1 (HOT Optimistic Search Invariant).

For any non-empty HOT trie $T$ and any query key $K$ , the optimistic search procedure terminates at exactly one leaf node $K^{\prime}$ that agrees with $K$ on all discriminative bits encountered during traversal, regardless of whether $K$ exists in $T$ .

Proof sketch (Lemma 1).

HOT search at each internal node computes $\mathrm{dense}(K,M)$ and finds the last index $j$ satisfying $(\mathrm{dense}\land\mathrm{sparse}[j])=\mathrm{sparse}[j]$ . By the HOT construction invariant, the first sparse partial key is always 0 (corresponding to the leftmost subtree). Since $(\mathrm{dense}\land 0)=0$ holds for all dense values, at least one match exists at every non-empty node. The search thus proceeds deterministically to a unique leaf that matches the query on all discriminative bits. However, non-discriminative bits may differ, so the final leaf $K^{\prime}$ must be compared against $K$ to determine membership. ∎

This invariant unifies membership and non-membership proofs as they both execute identical search algorithms, differing only in the final comparison.

Corollary 2 (Proof Unification).

Membership and non-membership proofs share identical proof generation and path verification algorithms. The distinction lies only in the final predicate:

\mathrm{ProofType}(K,K_{0})=\begin{cases}\text{Membership}&\text{if }K_{0}=K\\ \text{Non-Membership}&\text{if }K_{0}\neq K\end{cases}

(4)

where $K_{0}$ denotes the key of the leaf reached by searching $K$ .

Membership proof. For a key $K$ with associated value $V$ , the membership proof takes the form:

\pi_{\text{mem}}(K)=(K,V,v_{\text{leaf}},\text{Path})

(5)

where $\text{Path}=(\text{NPE}(N_{0},J_{0}),\ldots,\text{NPE}(N_{h-1},J_{h-1}))$ traces the search path from root to leaf, with $|J_{i}|=1$ for single-point proofs.

Algorithm 3 presents the verification procedure.

Algorithm 3 Membership Proof Verification

1:proof

\pi

, expected root

R

2:True if proof is valid

\triangleright

Phase 1: Verify routing consistency

4:for all entry

\in

\pi.\text{path}

d\leftarrow\textsc{DenseKey}(\pi.\text{key},\text{entry}.\text{masks})

j\leftarrow\textsc{SearchSparse}(d,\text{entry}.\text{sparse\_keys})

7: if

j\neq\text{entry}.\text{child\_idx}

then

8: return False

\triangleright

Routing mismatch

9: end if

10:end for

11:

\triangleright

Phase 2: Reconstruct hashes bottom-up

12:

h_{\text{child}}\leftarrow H_{\text{leaf}}(\pi.\text{key},\pi.\text{value})

13:for all entry

\in

\pi.\text{path}.\textsc{Reversed}()

14:

\text{cmr}\leftarrow\textsc{ReconstructCMR}(h_{\text{child}},\text{entry})

15:

h_{\text{child}}\leftarrow H(\text{entry}.\text{masks}\parallel\text{entry}.\text{sparse\_keys}

16:

\parallel\ \text{cmr}\parallel\text{entry}.\text{leaf\_counts})

17:end for

18:

\triangleright

Phase 3: Compare with expected root

19:return

h_{\text{child}}=R.\text{content\_hash}

Non-membership proof. For a key $K$ not present in the trie, the non-membership proof includes the neighbor leaf $(K^{\prime},V^{\prime})$ reached by executing the same search algorithm. Verification additionally checks that both $K$ and $K^{\prime}$ route through identical children at every node, ensuring $K^{\prime}$ is indeed the leaf that HOT search would reach for $K$ .

Theorem 3 (Single-Point Soundness).

If verification succeeds, then with overwhelming probability $1-\mathrm{negl}(\lambda)$ :

1.

For membership proofs: $(K,V)\in T$
2.

For non-membership proofs: $K\notin T$

Proof sketch (Theorem 3).

By collision resistance of $H$ , the bottom-up hash reconstruction produces a unique sequence of node hashes. The routing consistency check ensures $K$ traverses exactly the claimed path. For the final hash to match the root commitment, either the path authentically exists or the adversary found a hash collision. The latter occurs with probability at most $\mathrm{negl}(\lambda)$ . For non-membership, Lemma 1 guarantees that the optimistic search uniquely determines the leaf $K^{\prime}$ reached for query $K$ , proving no other leaf could be found by the same search procedure. ∎

5.3 Multi-Point Membership Proof

A naive approach to verifying $m$ membership proofs requires $O(m\cdot h\cdot(k-1))$ sibling hashes. Mhot reduces this through two optimizations: path sharing (keys traversing the same node share that node’s metadata) and compact multiproofs (proving $t$ children within a node requires $O(t(\log k-\log t))$ sibling hashes rather than $O(t(k-1))$ ).

Definition 4 (Compact Merkle Multiproof).

Given a Merkle tree $T$ with leaves $L$ and a subset $I\subseteq[0,|L|)$ of indices to prove, a compact multiproof consists of:

\pi_{\text{multi}}=(I,\Sigma)

(6)

where $\Sigma$ represents the minimal set of sibling hashes needed to reconstruct the root from proven leaves $\{L[i]:i\in I\}$ .

Compact multiproofs exploit shared ancestors among the $m$ proven leaves to eliminate redundant sibling hashes, reducing proof size from the naive $m\cdot h$ to as few as $h+m-1$ when leaves are clustered [merkle-multiproof].

The compact multiproof generation algorithm (Algorithm 5 traverses the tree bottom-up, collecting sibling hashes only for nodes where one child is known but the other is not.

Multi-point HOT proof. For a set of keys $K=\{K_{1},\ldots,K_{m}\}$ :

\pi_{\text{multi}}(K)=(\text{Entries},\text{Levels})

(7)

where Entries contains tuples $(K_{i},V_{i},v_{i})$ sorted by key, and Levels organizes NPEs by depth with compact multiproofs at each node.

Theorem 4 (Multi-Proof Soundness).

If verification succeeds, then all key-value pairs $(K_{i},V_{i})$ exist in the trie committed by the root, with overwhelming probability.

Proof sketch (Theorem 4).

Each key $K_{i}$ must pass the same routing consistency and hash reconstruction checks as in single-point verification (Theorem 3). Path sharing and compact multiproofs reduce proof size but do not weaken security: shared nodes are verified once with the same rigor, and multiproofs authenticate the same child hashes as independent proofs would. Forging any $(K_{i},V_{i})$ requires finding a hash collision. ∎

5.4 Lower Bound Proof

Lower bound queries—finding the smallest key $\geq Q$ —are fundamental to range operations in authenticated storage systems. Unlike membership queries where the search target either exists or does not, lower bound queries must locate a key that may differ from the query itself.

In prefix-organized tries such as MPT, siblings represent lexicographically adjacent key ranges, making neighbor identification straightforward. HOT organizes nodes by discriminative bits instead, so siblings may span non-contiguous ranges. We therefore construct lower bound proofs by authenticating the search path that HOT’s bit-comparison traversal follows to locate the smallest key $\geq Q$ .

Definition 5 (Lower Bound Query).

For a query key $Q$ , the lower bound operation $\mathrm{lb}(Q)$ returns the smallest key $K\geq Q$ present in the trie, or $\bot$ if no such key exists.

A critical subtlety arises from the nature of optimistic search. The search finds a leaf $K^{\prime}$ that matches the query $Q$ on all discriminative bits encountered during traversal, but $K^{\prime}$ need not be lexicographically close to $Q$ —the two may differ arbitrarily on non-discriminative bits. When searching for $Q$ terminates at leaf $K^{\prime}$ where $K^{\prime}\neq Q$ , let $d=\mathrm{diffbit}(Q,K^{\prime})$ denote the first differing bit position. Three cases arise:

$\bullet$

Exact match ( $K^{\prime}=Q$ ): The query key exists; $K^{\prime}$ is trivially the lower bound.
$\bullet$

Overshot ( $Q[d]=0$ , $K^{\prime}[d]=1$ ): The search entered a right subtree, so $Q<K^{\prime}$ lexicographically. However, $K^{\prime}$ may not be minimal within this subtree; the true lower bound is the leftmost leaf reachable from the fork point.
$\bullet$

Undershot ( $Q[d]=1$ , $K^{\prime}[d]=0$ ): The search ended in a left subtree where all keys are less than $Q$ . The algorithm must examine right siblings at the fork point to find a subtree containing keys $\geq Q$ .

The lower bound proof must authenticate both the leaf $K^{\prime}$ reached by optimistic search and the path to the actual result.

Definition 6 (Lower Bound Proof).

For query $Q$ , the lower bound proof structure is:

\pi_{\text{lb}}(Q)=(Q,\text{Path},K^{\prime},V^{\prime},v^{\prime},\text{Adj},K_{\text{result}},V_{\text{result}})

(8)

comprising the query key, the authenticated search path to the leaf $(K^{\prime},V^{\prime},v^{\prime})$ reached by optimistic search, optional adjustment information Adj for non-exact matches, and the actual lower bound result $(K_{\text{result}},V_{\text{result}})$ .

When $K^{\prime}\neq Q$ , the adjustment information specifies how to navigate from the search path to the true lower bound:

\text{Adj}=(d,b,f,\text{AdjPath})

(9)

where $d=\mathrm{diffbit}(Q,K^{\prime})$ is the first differing bit, $b=Q[d]$ indicates overshot ( $b=0$ ) or undershot ( $b=1$ ), $f$ is the fork depth, and AdjPath authenticates the path from the fork point to the result leaf.

Definition 7 (Fork Depth).

The fork depth $f$ identifies where the query’s hypothetical path would diverge from the path to the leaf reached by optimistic search:

f=\max\{i:d\in\mathrm{disc\_bits}(\text{Path}[i])\}

(10)

where $\mathrm{disc\_bits}(\cdot)$ extracts the set of discriminative bit positions encoded in a node’s extraction masks.

Lemma 5 (Lower Bound Correctness).

The adjustment algorithm correctly computes $\mathrm{lb}(Q)$ .

Proof sketch (Lemma 5).

Let $d=\mathrm{diffbit}(Q,K^{\prime})$ denote the first bit position where the query and the reached leaf differ.

Overshot case ( $Q[d]=0$ , $K^{\prime}[d]=1$ ): At fork depth $f$ , the search entered a subtree rooted at a node whose discriminative bit at position $d$ directed the search rightward. All keys $K$ in this subtree share bit $d=1$ , hence satisfy $K>Q$ lexicographically. The minimum key in this subtree (found by repeatedly taking the leftmost child from the fork point) is therefore the smallest key exceeding $Q$ . Note that this minimum need not be $K^{\prime}$ itself, as $K^{\prime}$ may reside anywhere within the subtree.

Undershot case ( $Q[d]=1$ , $K^{\prime}[d]=0$ ): The search terminated in a left subtree where all keys share bit $d=0$ , hence are lexicographically smaller than $Q$ . The algorithm must find the first right sibling at the fork point whose subtree contains keys $\geq Q$ , then descend to that subtree’s minimum. ∎

Verification. The verifier must ensure that the claimed result is indeed the minimum key $\geq Q$ , not merely some key satisfying the bound. Four checks enforce correctness:

$\bullet$

Path integrity. The search path must authenticate $K^{\prime}$ against the committed root via bottom-up hash reconstruction.
$\bullet$

Search consistency: Both $Q$ and $K^{\prime}$ must route identically through each path node—i.e., produce the same dense key and thus select the same child—confirming $K^{\prime}$ is the leaf that optimistic search reaches for $Q$ .
$\bullet$

Fork depth correctness. The verifier independently recomputes $f$ from the Merkle-committed extraction masks, rejecting any mismatch with the claimed value.
$\bullet$

Structural minimality. For overshot cases, every entry in AdjPath must have child index 0 (leftmost descent); for undershot cases, the first adjustment entry must be the immediate right sibling at the fork point. These constraints ensure the result is minimal.

Theorem 6 (Lower Bound Soundness).

If verification succeeds, then $K_{\text{result}}=\mathrm{lb}(Q)$ with overwhelming probability.

Proof sketch (Theorem 6).

The verifier independently recomputes the fork depth $f$ from the Merkle-committed extraction masks using Definition 7, preventing adversarial manipulation of the branching point. Structural constraints enforce minimality: in the overshot case, each entry in AdjPath must have child index 0 (leftmost descent); in the undershot case, the first adjustment entry must be the immediate right sibling of the search path’s child at the fork point. The adjustment path must reconstruct to the same node content hash as the search path at depth $f$ , cryptographically binding it to the committed trie structure. Any attempt to return a non-minimal key will produce a root hash mismatch. ∎

5.5 Range Proof

Range queries are essential for authenticated storage applications such as blockchain state synchronization, where clients must verify that a returned dataset contains exactly the entries within specified bounds [devp2p, rangeproofimportant]. The central challenge is completeness: an adversarial prover might return a subset of the true range, omitting entries to deceive the verifier.

Definition 8 (Range Query).

For an interval $[\text{first},\text{last})$ , the range query returns all key-value pairs $(K,V)$ satisfying $\text{first}\leq K<\text{last}$ .

Mhot constructs range proofs by composing lower bound proofs with multi-point proofs. The lower bound proofs (Section 5.4) establish the range boundaries, while the multi-point proof (Section 5.3) authenticates all entries within.

Definition 9 (HOT Range Proof).

For interval $[\text{first},\text{last})$ :

\pi_{\text{range}}=(\text{first},\text{last},\pi_{\text{lb}}^{L},\pi_{\text{lb}}^{R},\pi_{\text{multi}})

(11)

where $\pi_{\text{lb}}^{L}$ authenticates $\mathrm{lb}(\text{first})$ , $\pi_{\text{lb}}^{R}$ authenticates $\mathrm{lb}(\text{last})$ , and $\pi_{\text{multi}}$ proves membership of all entries in the range.

Rank-based completeness verification. Efficient completeness verification builds on the rank function, which counts the number of keys preceding a given key in the trie’s total order. Since each node records the leaf counts of its child subtrees and commits them in the node content hash, the verifier can derive ranks directly from the boundary proofs, without enumerating all keys in the queried range.

Definition 10 (Rank).

For a key $K$ in trie $T$ , the rank is the count of smaller keys:

\mathrm{rank}(K)=|\{K^{\prime}\in T:K^{\prime}<K\}|

(12)

Lemma 7 (Rank Computation from Path).

Given the search path for key $K$ , the rank can be computed as:

\mathrm{rank}(K)=\sum_{i=0}^{h-1}\sum_{j=0}^{\text{child\_idx}_{i}-1}\mathrm{lc}(\text{path}[i].\text{children}[j])

(13)

Proof sketch (Lemma 7).

At each level $i$ of the search path, all children with indices $j<\text{child\_idx}_{i}$ contain keys lexicographically smaller than $K$ , since sparse partial keys maintain sorted order within each compound node. The $\mathrm{lc}$ field, committed in the node content hash, records the total number of leaves in each child’s subtree. Summing these counts across all path levels yields the total number of keys preceding $K$ . ∎

This rank computation enables $O(1)$ completeness verification: the verifier simply checks whether $|\text{entries}|=\mathrm{rank}(\text{last})-\mathrm{rank}(\text{first})$ . If an adversary omits even a single entry, the count mismatch triggers rejection. Algorithm 4 presents the complete verification procedure.

Algorithm 4 Range Proof Verification

1:proof

\pi

, expected root

R

2:True if proof is valid

\triangleright

Verify boundary proofs first (prevents omission attacks)

4:if not

\textsc{VerifyLB}(\pi.\pi_{\text{lb}}^{L},R)

then return False

5:end if

6:if not

\textsc{VerifyLB}(\pi.\pi_{\text{lb}}^{R},R)

then return False

7:end if

8:if

\pi.\text{first}\geq\pi.\text{last}

then

9: return

\pi.\text{entries}=\emptyset

10:end if

11:if not

\textsc{VerifyMulti}(\pi.\pi_{\text{multi}},R)

then return False

12:end if

13:

\triangleright

Rank-based count verification

14:

r_{L}\leftarrow\textsc{ComputeRank}(\pi.\text{first},\pi.\pi_{\text{lb}}^{L})

15:

r_{R}\leftarrow\textsc{ComputeRank}(\pi.\text{last},\pi.\pi_{\text{lb}}^{R})

16:if

r_{R}-r_{L}\neq|\pi.\text{entries}|

then

17: return False

\triangleright

Omission detected

18:end if

19:

\triangleright

Verify ordering and boundaries

20:for all

i\in[1,|\pi.\text{entries}|)

21: if

\pi.\text{entries}[i].\text{key}\leq\pi.\text{entries}[i-1].\text{key}

then

22: return False

23: end if

24:end for

25:return True

The verification algorithm enforces a critical security invariant: boundary proofs must be verified before accepting any entries. This ordering prevents empty-proof attacks where an adversary provides valid but incomplete entry lists. The rank-based count check then ensures exactly the correct number of entries appears.

Theorem 8 (Range Proof Soundness).

If verification succeeds, the entries contain exactly all keys $K$ satisfying $\text{first}\leq K<\text{last}$ .

Proof sketch (Theorem 8).

The proof composes three security guarantees. First, by Theorem 6 (Lower Bound Soundness), the boundary proofs $\pi_{\text{lb}}^{L}$ and $\pi_{\text{lb}}^{R}$ correctly identify $\mathrm{lb}(\text{first})$ and $\mathrm{lb}(\text{last})$ . Second, by Lemma 7 (Rank Computation), the verifier accurately computes $\mathrm{rank}(\text{first})$ and $\mathrm{rank}(\text{last})$ from these authenticated paths; since $\mathrm{rank}(\text{last})-\mathrm{rank}(\text{first})$ equals exactly $|\{K:\text{first}\leq K<\text{last}\}|$ , any count mismatch with $|\text{entries}|$ reveals an omission attack. Third, by Theorem 4 (Multi-Proof Soundness), every entry in $\pi_{\text{multi}}$ authentically exists in the committed trie. These guarantees ensure the returned entries are the keys in $[\text{first},\text{last})$ . ∎

6 Evaluation

We evaluate Mhot along four dimensions (formed by questions). Q1. Does Mhot improve write throughput compared to existing authenticated data structures? Q2. Does Mhot’s batched persistence strategy reduce write amplification (WA)? Q3. How does tree height vary across workloads, and what are the implications for proof size? Q4. Does Mhot’s compound node design mitigate Nurgle attacks?

6.1 Experimental Setup

Implementation. We implement all systems in Rust with release optimizations. RocksDB [rocksdb] serves as the underlying key-value store with a 2 GB LRU cache. We report the median of five independent runs; ranges in tables indicate variation across scales or configurations.

Hardware. We run experiments on an AWS EC2 instance with an 8-vCPU Intel Xeon Scalable processor (Sapphire Rapids, 3.2 GHz), 64 GB RAM, and EBS-optimized storage providing baseline 12,000 IOPS with burst capacity up to 40,000 IOPS.

Baselines. We compare Mhot against three representative systems under the benchmark setup used by LVMT [lvmt]. (i) MPT is Ethereum’s current authenticated state structure based on the Merkle Patricia Trie [ethereum]. (ii) LVMT is a layered versioned multipoint trie that leverages KZG polynomial commitments to achieve $O(1)$ root updates [lvmt]. (iii) RainBlock adopts DSM-TREE, a distributed sharded Merkle tree design optimized for in-memory storage [rainblock]. The RainBlock-style configuration keeps the upper six levels in memory and pages deeper nodes from RocksDB, matching LVMT’s layered-storage baseline [lvmt]. For LVMT, we use the recommended configuration of 16 bits per level, resulting in a fanout of $2^{16}=65{,}536$ per layer. We do not evaluate its History Merkle Tree functionality, as this component is not available in the open-source implementation.

Workloads. We evaluate two types of workloads. (i) The synthetic workload first populates the tree with 100k–1M entries, followed by 100 epochs, each consisting of 100,000 random updates. (ii) The real-world trace workload replays Ethereum mainnet blocks 13,500,000–13,510,000, grouped into 200 epochs of 50 blocks each, in accordance with LVMT’s recommended configuration.

6.2 Write Throughput (Figure 4)

Write throughput measures how fast the commitment engine processes batch updates (§3.1). We denote Mhot with asynchronous flush as Mhot-AF (asynchronous flush).

Synthetic workloads. At 100k keys, Mhot-AF reaches 260k ops/s, outperforming MPT (29k ops/s) by 9 $\times$ . LVMT and RainBlock reach 120k and 108k ops/s respectively—roughly half of Mhot’s throughput. Synchronous-flush Mhot variants hit 200k ops/s, still 7 $\times$ faster than MPT.

As tree size grows, all systems show throughput degradation. At 500k keys, Mhot-AF maintains 135k ops/s while LVMT drops to 90k ops/s and RainBlock to 50k ops/s. At 1M keys, Mhot-AF delivers 104k ops/s versus MPT’s 17k ops/s (6 $\times$ ), LVMT’s 80k ops/s (1.3 $\times$ ), and RainBlock’s 38k ops/s (2.7 $\times$ ). At larger scales, LVMT’s $O(1)$ root update complexity narrows the gap, though Mhot retains an advantage through reduced tree traversal depth.

Real-world trace. Under Ethereum mainnet traces, Mhot-AF reaches 130k ops/s, outperforming LVMT (72k ops/s) by 1.8 $\times$ , RainBlock (55k ops/s) by 2.4 $\times$ , and MPT (20k ops/s) by 6.5 $\times$ . The real-world trace exhibits higher key locality than synthetic workloads, benefiting Mhot’s cache-friendly compound node layout. Blake3 variants outperform Keccak variants by 3–5% due to Blake3’s lower computational overhead. For Ethereum compatibility, Keccak remains the default despite this modest penalty.

6.3 Write Amplification (Figure 5)

Synthetic workloads. At 100k keys, Mhot records average WA of 0.9, greatly lower than MPT’s 2.7, a three times reduction. LVMT records the lowest WA (0.8) due to its LSM-tree-style append-only storage. RainBlock falls to 1.45.

As tree size grows, MPT’s WA rises from 2.7 at 100k to 4.8 at 1M keys, reflecting the cost of maintaining deep Merkle paths with per-epoch commits. Mhot maintains WA of 0.9–1.6 across scales, a 3–3.7 $\times$ reduction over MPT. LVMT consistently records the lowest WA (0.8–1.0).

Real-world trace. Under Ethereum mainnet traces, Mhot-AF records WA of 1.1, versus MPT’s 3.2 (2.9 $\times$ reduction), RainBlock’s 1.8 (1.6 $\times$ reduction), and LVMT’s 1.0. Synchronous-flush Mhot variants show slightly higher WA (1.25) due to more frequent disk commits.

Mhot’s batched flush strategy introduces per-epoch variance: most epochs complete with near-zero WA, while flush epochs reach 4–8 depending on accumulated changes. For aggregate storage efficiency (most relevant to long-running nodes), Mhot’s lower WA reduces total I/O over time. LVMT records 10–15% lower WA than Mhot, but incurs 3–4 orders of magnitude higher verification latency (§6.5).

6.4 Tree Height Analysis (Figure 6)

Tree height directly impacts proof size and verification latency. Each additional level requires more node traversals and more sibling hashes in membership proofs.

Synthetic workloads. Under uniformly distributed keys, LVMT records the lowest tree height of 2 across all scales, reflecting its $2^{16}$ fanout per level. Mhot maintains height 5–6, while MPT and RainBlock reach 8–9. Mhot’s compound node design yields 35–40% shallower trees than MPT.

Real-world trace. The Ethereum mainnet trace reveals a limitation of fixed-span architectures. LVMT maintains an average height of 2, but individual branches reach depth 9, approaching MPT and RainBlock’s worst-case heights of 10. Real Ethereum addresses cluster within certain prefixes due to contract factories and sequential account creation, causing fixed 16-bit partitioning to produce unbalanced subtrees.

Mhot maintains stable height of 6 under real-world traces. Its variable-span compound nodes adapt to local key density by packing discriminative bits greedily, absorbing prefix collisions without proportional height increase. This consistency across workloads matters for blockchain deployments where key distributions vary unpredictably.

6.5 Proof Size and Latency

We evaluate single-point membership proofs across systems (Figure 7 and Table 2), then examine Mhot’s scalability for multi-point and range proofs (Figure 8).

Single-point proofs. Figure 7 compares proof size and prove latency across five system configurations and four tree scales (100K–1M synthetic keys plus Ethereum mainnet trace with 1.6M keys). We evaluate two LVMT sampling strategies: random (best-case, sampling uniformly across keys) and deepest (worst-case, targeting keys at maximum tree depth).

Mhot-Blake3 achieves the most compact proofs across all scales, ranging from 1,139 bytes at 100K keys to 1,423 bytes under real-world traces. LVMT-random produces larger proofs (2,227–3,011 bytes) due to KZG commitment overhead, while LVMT-deepest reveals worst-case behavior with proofs reaching 4,411–19,123 bytes under real traces (13 $\times$ larger than Mhot). MPT proofs range from 2,304 to 2,867 bytes, twice Mhot’s size. Mhot’s proof size advantage stems from its two-layer Merkle architecture: the intra-node Merkle tree requires only $O(\log k)$ sibling hashes per node rather than $O(k)$ , where $k=32$ is the maximum fanout.

For prove latency, LVMT-random achieves the lowest values (5.1–7.7 $\mu$ s), while Mhot-Blake3 (8.9–11.9 $\mu$ s) outperforms Mhot-Keccak (31.5–42.5 $\mu$ s) by 3.5 $\times$ due to Blake3’s lower computational overhead. LVMT-deepest reaches 10.6–61.4 $\mu$ s under real traces. MPT (6.2–8.9 $\mu$ s) remains stable.

Table 2 presents verification latency. Hash-based schemes (Mhot, MPT) operate in microseconds, while LVMT’s KZG polynomial commitment verification requires milliseconds due to pairing operations. Mhot-Blake3 verifies proofs in 5.3 $\mu$ s, comparable to MPT (10–12 $\mu$ s) while providing smaller proofs. LVMT’s verification latency of 32–147 ms represents three to four orders of magnitude overhead compared to hash-based schemes, which is a critical trade-off for applications requiring fast verification such as light clients.

Table 2: Single-point verification latency. Hash-based schemes operate in microseconds; LVMT’s KZG pairing requires milliseconds.

System	100K	500K	1M	Real
Mhot-Blake3	4.4 $\mu$ s	5.1 $\mu$ s	5.4 $\mu$ s	5.3 $\mu$ s
Mhot-Keccak	9.9 $\mu$ s	11.2 $\mu$ s	12.0 $\mu$ s	11.9 $\mu$ s
MPT	10.2 $\mu$ s	11.5 $\mu$ s	12.3 $\mu$ s	12.3 $\mu$ s
LVMT	33–47 ms	32–49 ms	32–51 ms	38–147 ms

Multi-point and range proofs. Figure 8 shows proof size and latency scaling with batch and range size under Ethereum mainnet traces (1.6M keys). Multi-point proofs grow from 1.4 KB (single key) to 92.6 KB (1000 keys), while range proofs grow from 1.4 KB to 95.7 KB. For latency, multi-point prove time scales from 12 $\mu$ s to 2.3 ms, while verify time scales from 5.5 $\mu$ s to 4.9 ms. Range proofs exhibit similar scaling, with prove latency reaching 2.8 ms and verify latency reaching 5.1 ms at 1000 entries. The rank-based completeness verification (§5.5) adds minimal overhead, as rank computation requires only summation over pre-computed leaf counts.

6.6 Nurgle Attack Resistance

The Nurgle attack [nurgle] exploits prefix collisions to inflate tree depth for targeted keys, increasing their proof costs. We evaluate resistance under the threat model where an adversary controls 52 prefix bits (matching the original Nurgle analysis) and commands an entire block’s gas budget (300M gas, approximately 15,000 insertions).

Experimental setup. We sample 10,000 random keys as attack targets. For each target, the attacker generates collision keys matching the target’s 52-bit prefix and inserts them until either the target’s depth increases or the block’s gas budget is exhausted. For MPT, we employ a round-robin strategy distributing insertions across all targets to maximize attack coverage. For LVMT, we track the depth distribution of both original and attack keys, since its fixed-depth-at-insertion property prevents existing keys from being pushed deeper.

Attack results (Table 3). MPT proves highly vulnerable: 99.97% of sampled keys experienced depth increases, with average depth rising from 6.88 to 8.91 (+2.03 levels) and maximum depth increasing from 9 to 12. In contrast, Mhot exhibits strong resistance: zero successful attacks across all 10,000 targets, even after exhausting an entire block’s gas budget per target. Mhot’s compound nodes absorb prefix collisions through internal restructuring (Leaf Pushdown, Parent Pull-Up) without propagating depth increases.

Table 3: Nurgle attack on Ethereum mainnet.

System	Success Rate	Depth $\Delta$ (avg)	Depth $\Delta$ (max)
MPT	99.97%	+2.03	+3
Mhot	0%	0	0

LVMT prefix pollution. LVMT presents a different security model: once inserted, a key’s depth is fixed and cannot be increased by subsequent insertions. However, attackers can still pollute prefix regions by inserting keys that occupy slots at shallower levels, forcing future keys into deeper levels.

Figure 9 illustrates this effect. Before the attack, 82.3% of keys reside at level 0 and 17.4% at level 1 (average depth 0.18). After inserting 15,000 attack keys targeting specific prefixes, 99.9% of attack keys are placed at level 3, far deeper than legitimate keys. Although existing keys remain unaffected, the polluted prefix regions force any future keys sharing these prefixes to be placed at level 3 or deeper. This behavior constitutes a degradation-of-service attack against future users whose addresses collide with the targeted prefixes.

Key experimental findings. Our experiments yield four key findings. Mhot achieves 5–9 $\times$ higher write throughput than MPT, reaching up to 260k ops/s at 100k keys and 100k ops/s at 1M keys (Q1). This gain is partly due to reduced write amplification: Mhot achieves average WA of 0.9–1.6, a 3–4 $\times$ reduction compared to MPT (Q2). Mhot also maintains a stable tree height of 5–6 levels across all workloads, 35–40% shallower than MPT, resulting in 50% smaller membership proofs (1.1–1.4 KB vs. 2.3–2.9 KB) with comparable verification latency (Q3). Finally, under the Nurgle threat model with a 15,000-insertion budget, none of the 10,000 sampled keys experienced depth increases (Q4).

7 Discussion

We discuss two aspects as below.

7.1 Scope and Complementary Mitigations

Our scope. Our evaluation targets the state commitment bottleneck in modern clients. Integrating Mhot into full execution pipelines would validate its end-to-end impact on block processing. Mhot operates at the ADS layer beneath Ethereum’s account model [ethereum], treating account fields as opaque key-value pairs. It therefore remains compatible with state-clearing semantics [eip161], proof interfaces [eip1186], and gas accounting standards [eip2929]. Deployment can follow an incremental migration path where new commits use Mhot while historical proofs remain verifiable against archived MPT roots.

Reduced commitment latency may also benefit block validation throughput, though quantifying this effect requires end-to-end pipeline evaluation.

Complementary mitigation strategies. In-memory layering caches reused upper trie levels to reduce authenticated-state cost without changing the local tree. LMPTs [lmpts] keep recent-update tries in memory and the snapshot trie on disk; our RainBlock-style baseline keeps the upper six levels in memory and loads deeper nodes from RocksDB. This helps the normal case where updates reuse upper ancestors, but it does not close the Nurgle path. Adversarial keys share long prefixes and grow paths below the cached levels (a single RTX3080 GPU can manipulate the first 15 MPT layers by colliding 13 nibbles [nurgle]), and the tree still routes by fixed prefixes regardless of how deep the cache extends.

Systemic mitigations reorganize state above the local tree. Chainspace [chainspace] splits state across shards and certifies shard-local commitments through quorum signatures, while RainBlock [rainblock] distributes state in DSM-TREE shards and offloads disk access to storage nodes. These designs expose parallelism above the tree at the cost of data placement, network coordination, quorum certification, and cross-shard access, and compose with Mhot, since each shard or checkpoint still requires a local authenticated structure that remains exposed to depth inflation when prefix-based. Mhot fills that local structural role inside layered, partitioned, or checkpointed deployments.

7.2 Future Directions

Hardware acceleration. Increasing the span to $k=64$ [hot] exploits AVX-512 instructions on modern processors, further reducing tree height. For spans of $k\geq 256$ , scalar implementations suffice because persistent storage I/O dominates latency. Alternatively, algebraic commitments such as vector commitments in AMT [lvmt] trade setup transparency for reduced verification overhead. Mhot’s deferred hashing exposes parallelism well-suited to GPU acceleration, where nodes at the same height level are mutually independent and map efficiently onto GPU SIMD units [deng2024gpu].

Storage optimization. Integrating HOT’s leaf-optimized node layout would substantially reduce node sizes through dense-region collapsing and variable-length delta encoding [hot], though deterministic Merkle hash computation must remain tractable.

State pruning. Content-addressable, copy-on-write storage creates new node versions on every modification. Version-prefixed database keys allow efficient range deletion of nodes older than a retention threshold, and the underlying LSM-tree engine’s compaction naturally discards tombstoned entries. A production deployment would benefit from a configurable pruning policy that balances historical state availability against storage growth.

Concurrency. HOT’s copy-on-write semantics with wait-free readers [hot] provide a foundation for concurrent access. Mhot’s immutable nodes already support concurrent reads without synchronization. However, coordinating parallel writers remains an open problem.

Structural attack analysis. Mhot removes Nurgle’s prefix-collision attack through discriminative-bit indexing, but its structure may open new attack vectors. An adversary could craft keys that concentrate discriminative-bit conflicts within certain subtrees, forcing repeated node splits such as leaf pushdown, parent pull-up, and intermediate node creation. Following Nurgle’s analytical approach, a systematic study would estimate the effort to force such splits, measure the resulting path-length increase per malicious insertion, and evaluate whether these effects produce economic imbalance under the gas pricing model [eip2929]. We leave tight bounds on adversarial path inflation to future work.

8 Related Work

Protocol-level updates. Ethereum’s roadmap explores replacing MPT with alternative state commitment structures. Verkle Trees [verkle], proposed in EIP-6800 [eip6800], adopt vector commitments to achieve constant-size proofs per tree level, enabling stateless client verification. This design relies on a trusted setup; while multi-party computation ceremonies distribute trust, compromise remains possible. As an alternative, EIP-7864 [eip7864] proposes a binary Merkle tree tailored for SNARK-based proof generation, partly motivated by post-quantum concerns of pairing-based schemes [postquantum-verkle]. Both approaches require hard forks and incur nontrivial deployment costs, either through additional trust assumptions or substantial proof generation overhead.

In contrast, Mhot demonstrates that performance and robustness gains remain achievable within the existing hash-based commitment model. More importantly, Mhot preserves the simplicity of Merkle authentication without introducing algebraic verification overhead for deployment.

Vector commitments. VC literature addresses a different layer, asking how to commit to a value set and open positions with short proofs rather than how state is organized, indexed, or traversed; the two layers compose. When paired with a trie, as in Verkle and LVMT (§2.2), a VC decouples proof size from fanout cryptographically, while Mhot achieves the same decoupling structurally via discriminative-bit indexing and hierarchical proofs, a different design point, not a competing one. Pure VC constructions without a tree, such as Aardvark [aardvark] (bucketed dictionary), KVaC [kvac] (flat key-value commitment), and EDRAX [edrax] (indexed authenticated array), target different objectives and do not map onto the axes of Table 1. Proof-aggregation techniques (Pointproofs [pointproofs], Hyperproofs [hyperproofs], Cauchyproofs [cauchyproofs], aSVC [asvc]) are orthogonal to the base structure; foundational results [catalano-fiore13, campanelli2020, cfgg22] establish the VC primitive, incremental aggregation, and impossibility bounds. The lack of native range proofs in LVMT and Verkle (Table 1) reflects engineering status, not a fundamental VC limitation; interval certification needs extra construction that hash-based Merkle proofs avoid.

State storage optimization. Beyond modifications to the authenticated tree structure itself, prior work has explored workload-aware optimizations for blockchain state storage. Adaptive tree restructuring [kuznetsov2024] dynamically promotes frequently accessed nodes toward the root, reducing average access latency for hot state. Hot–cold data separation schemes [feng2025] migrate infrequently accessed state to lower-cost storage tiers while preserving fast access to active accounts. These approaches primarily optimize for access frequency and locality, rather than the structural properties of the key space.

In contrast, Mhot’s height optimization targets worst-case structural depth induced by key relationships, independent of workload skew. The two strategies are orthogonal and can be naturally composed.

Storage architecture. Blockchain-aware storage engines mitigate I/O amplification by exploiting blockchain-specific access patterns, primarily through two complementary strategies. The first leverages key structure and layout. ChainKV [chainkv] separates state from non-state data using Prefix-MPT to improve key locality, while Block-LSM [blocklsm] prefixes keys with block numbers to cluster same-block writes and reduce compaction overhead. The second strategy amortizes commitment cost over time. LETUS [letus] employs log-structured delta encoding across blocks, and COLE [cole] applies learned indexes to optimize read-heavy workloads.

Modern production clients such as Erigon [erigon] further adopt flat database designs that decouple state access from commitment computation, effectively treating the authenticated data structure as a dedicated commitment engine. Mhot follows this decoupling principle and focuses optimization squarely on the commitment bottleneck itself.

Acceleration techniques. Hardware acceleration complements algorithmic improvements. Deng et al. [deng2024gpu] parallelize MPT hash computation on GPUs via PhaseNU and LockNU algorithms, addressing node-splitting conflicts during concurrent updates. This achieves substantial throughput gains for commitment-intensive workloads. Combining GPU parallelism with height-optimized structures remains unexplored.

Mhot’s deferred hashing exposes parallelism suited for such acceleration: nodes at the same height level share no data dependencies during hash computation.

Nurgle mitigation. The attack [nurgle] exploits the predictable structure of MPT to inflate tree depth via adversarial key selection. Current mitigation efforts focus on economic disincentives or data pruning rather than structural defenses. EIP-4444 [eip4444] enables historical data pruning but leaves the current state structure unchanged. EIP-4762 [eip4762] proposes gas repricing for witness costs but remains in draft, facing determinism challenges. Verkle migration [verkle, eip6800] would alter the attack surface but requires ongoing protocol changes.

Mhot provides an immediate structural defense. Even when an adversary controls an entire block’s gas budget, Mhot achieves zero successful depth increases, compared to 99.97% attack success rate against MPT. The compound node design absorbs prefix collisions through internal restructuring without propagating depth increases to existing keys.

Algorithm 5 Compact Multiproof Generation [merkle-multiproof]

1:leaves

L

, indices

I

to prove

2:Compact multiproof

\pi

\text{depth}\leftarrow\lceil\log_{2}|L|\rceil

\text{known}\leftarrow\{(\text{depth},i):i\in I\}

\text{proof\_hashes}\leftarrow\langle\rangle

6:for

\ell\leftarrow\text{depth}-1

downto

0

7: for

i\leftarrow 0

2^{\ell}-1

\text{left}\leftarrow(\ell+1,2i)\in\text{known}

\text{right}\leftarrow(\ell+1,2i+1)\in\text{known}

10: if left and right then

11:

\text{known}.\textsc{Insert}((\ell,i))

12: else if left or right then

13:

s\leftarrow 2i+1

if left else

2i

14:

\text{proof\_hashes}.\textsc{Push}(\textsc{Hash}(\ell+1,s))

15:

\text{known}.\textsc{Insert}((\ell,i))

16: end if

17: end for

18:end for

19:return

(I,\text{proof\_hashes},\text{depth})

9 Conclusion

We presented Mhot, a height-optimal authenticated data structure for blockchain state commitment. By adapting height-optimized tries to persistent storage, Mhot achieves substantially higher throughput, lower write amplification, and smaller proofs than MPT, without relying on trusted setup or specialized cryptography. Mhot structurally mitigates Nurgle attacks, maintaining zero successful depth increases even under worst-case adversarial conditions. Our results show that careful data-structure design can fundamentally improve the scalability and robustness of blockchain state commitment.

References

Appendix A Notations (Table 4)

Table 4: Summary of notation.

Symbol	Description
$s$ , $n$ , $k$ , $h$	Span, entry count, fanout ( $k{=}32$ ), tree height
$K$ , $V$ , $T$	Key, value, trie
$H$ , $\pi$ , $\parallel$	Hash function, proof, concatenation
$N$	Compound node
$M$ , $S$ , $L$	Extraction masks, sparse keys, leaf counts
$\eta$ , $v$ , $c_{i}$	Node height, version, $i$ -th child
$\mathrm{CMR}(N)$	Children Merkle root
$J$ , $t$	Child index set, $t=\|J\|$
$\mathrm{NPE}(N,J)$	Node proof entry for children $J$
$\Pi_{J}^{\mathrm{CMR}}$	Intra-node Merkle multiproof
$m$ , $\mathrm{rank}(K)$	Batch size, count of keys $<K$
$\mathrm{lc}(c)$ , $\mathrm{lb}(Q)$	Leaf count of subtree $c$ , lower bound of $Q$
$\lambda$ , $\mathrm{negl}(\lambda)$	Security parameter, negligible function

Appendix B Formal Security Proofs

This section presents rigorous security proofs for Mhot’s proof mechanisms using the standard cryptographic game-based framework. We establish formal security guarantees by reducing the soundness of each proof type to the collision resistance of the underlying hash function.

B.1 Cryptographic Preliminaries

Definition 11 (Security Parameter).

Let $\lambda\in\mathbb{N}$ denote the security parameter. A function $f:\mathbb{N}\to\mathbb{R}$ is negligible in $\lambda$ , written $f(\lambda)=\mathrm{negl}(\lambda)$ , if for every polynomial $p(\cdot)$ there exists $\lambda_{0}$ such that $f(\lambda)<1/p(\lambda)$ for all $\lambda>\lambda_{0}$ .

Definition 12 (Collision-Resistant Hash Function).

A hash function family $\mathcal{H}=\{H_{\lambda}:\{0,1\}^{*}\to\{0,1\}^{\lambda}\}_{\lambda\in\mathbb{N}}$ is collision-resistant if for all probabilistic polynomial-time (PPT) adversaries $\mathcal{A}$ :

\mathrm{Adv}^{\mathrm{CR}}_{\mathcal{H}}(\mathcal{A})\coloneqq\Pr\Big[(x,x^{\prime})\leftarrow\mathcal{A}(1^{\lambda}):\\ x\neq x^{\prime}\land H(x)=H(x^{\prime})\Big]\leq\mathrm{negl}(\lambda)

(14)

where the probability is taken over the internal randomness of $\mathcal{A}$ .

Lemma 9 (Difference Lemma [shoup2004sequences]).

Let $A$ , $B$ , and $F$ be events defined on the same probability space. If $A\land\lnot F\Leftrightarrow B\land\lnot F$ (i.e., $A$ and $B$ are identical conditioned on $\lnot F$ ), then:

|\Pr[A]-\Pr[B]|\leq\Pr[F]

(15)

Proof.

We have $\Pr[A]=\Pr[A\land F]+\Pr[A\land\lnot F]$ and $\Pr[B]=\Pr[B\land F]+\Pr[B\land\lnot F]$ . Since $A\land\lnot F\Leftrightarrow B\land\lnot F$ , we have $\Pr[A\land\lnot F]=\Pr[B\land\lnot F]$ . Thus $|\Pr[A]-\Pr[B]|=|\Pr[A\land F]-\Pr[B\land F]|\leq\Pr[F]$ . ∎

Throughout this section, we assume the hash function $H$ used in Mhot is collision-resistant. This assumption is standard and satisfied by cryptographic hash functions such as SHA-256 and Blake3.

B.2 Mhot Proof System Formalization

Definition 13 (Mhot Proof System).

The Mhot proof system $\Pi=(\mathsf{Setup},\mathsf{Commit},\mathsf{Prove},\mathsf{Verify})$ consists of four algorithms:

•

$\mathsf{Setup}(1^{\lambda})\to\mathsf{pp}$ : Outputs public parameters (the hash function description).
•

$\mathsf{Commit}(T)\to R$ : Given a trie $T$ , outputs a root commitment $R=(H_{\mathrm{content}}(N_{\mathrm{root}}),v,n)$ where $n$ is the total entry count.
•

$\mathsf{Prove}(T,\mathsf{stmt})\to\pi$ : Given trie $T$ and statement $\mathsf{stmt}$ , outputs a proof $\pi$ .
•

$\mathsf{Verify}(R,\mathsf{stmt},\pi)\to\{0,1\}$ : Outputs 1 (accept) or 0 (reject).

Definition 14 (Statement Types).

Mhot supports the following statement types:

1.

Membership: $\mathsf{stmt}=(K,V,\mathsf{mem})$ asserts $(K,V)\in T$ .
2.

Non-membership: $\mathsf{stmt}=(K,\mathsf{nmem})$ asserts $K\notin\mathrm{keys}(T)$ .
3.

Multi-membership: $\mathsf{stmt}=(\{(K_{i},V_{i})\}_{i=1}^{m},\mathsf{multi})$ asserts $\forall i:(K_{i},V_{i})\in T$ .
4.

Lower bound: $\mathsf{stmt}=(Q,K_{r},V_{r},\mathsf{lb})$ asserts $\mathrm{lb}(Q)=(K_{r},V_{r})$ .
5.

Range: $\mathsf{stmt}=([\mathsf{first},\mathsf{last}),\mathsf{entries},\mathsf{range})$ asserts $\mathsf{entries}=\{(K,V)\in T:\mathsf{first}\leq K<\mathsf{last}\}$ .

Binding property of commitments. A fundamental security requirement is that the commitment scheme is computationally binding: no efficient adversary can produce two distinct tries with the same commitment. This property is essential for all subsequent soundness proofs.

Lemma 10 (Commitment Binding).

Under the collision resistance assumption, the commitment scheme $\mathsf{Commit}$ is computationally binding. Formally, for any PPT adversary $\mathcal{A}$ :

\Pr\Big[(T_{1},T_{2})\leftarrow\mathcal{A}(1^{\lambda}):\\ T_{1}\neq T_{2}\land\mathsf{Commit}(T_{1})=\mathsf{Commit}(T_{2})\Big]\leq\mathrm{negl}(\lambda)

(16)

Proof.

We proceed by induction on the maximum height of $T_{1}$ and $T_{2}$ .

Base case (height 1): Both tries consist of single leaf nodes. If $\mathsf{Commit}(T_{1})=\mathsf{Commit}(T_{2})$ , then $H_{\mathrm{leaf}}(K_{1},V_{1})=H_{\mathrm{leaf}}(K_{2},V_{2})$ . If $(K_{1},V_{1})\neq(K_{2},V_{2})$ , this constitutes a hash collision.

Inductive step: Suppose the lemma holds for all tries of height $<h$ . Consider $T_{1},T_{2}$ of height $\leq h$ with $\mathsf{Commit}(T_{1})=\mathsf{Commit}(T_{2})$ . This implies $H_{\mathrm{content}}(N_{1})=H_{\mathrm{content}}(N_{2})$ for their root nodes.

By Definition 2, if the root content hashes are equal but the node contents differ (i.e., different $M$ , $S$ , $\mathrm{CMR}$ , or $L$ ), then a collision exists in $H$ . If the node contents are identical including $\mathrm{CMR}(N_{1})=\mathrm{CMR}(N_{2})$ , then by the collision resistance of the Merkle tree construction, the children hash sequences must be identical. By the inductive hypothesis applied to each child subtree, corresponding children must be identical. Hence $T_{1}=T_{2}$ .

Any adversary producing $T_{1}\neq T_{2}$ with equal commitments can be converted to a collision finder, establishing the bound. ∎

Corollary 11 (Unique Preimage).

For any commitment $R$ in the range of $\mathsf{Commit}$ , there exists at most one trie $T$ (up to negligible probability) such that $\mathsf{Commit}(T)=R$ . We denote this unique trie as $T_{R}$ when it exists.

B.3 Security Games

We define formal security games for each proof type. In all games, the adversary $\mathcal{A}$ is computationally bounded (PPT) and aims to produce a valid proof for a false statement.

Game $\mathsf{G}^{\mathrm{mem}}_{\Pi,\mathcal{A}}(\lambda)$ : 1. $\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})$ 2. $(R,K,V,\pi)\leftarrow\mathcal{A}(\mathsf{pp})$ 3. $b\leftarrow\mathsf{Verify}(R,(K,V,\mathsf{mem}),\pi)$ 4. if $b=0$ then return 0 5. $T_{\pi}\leftarrow\mathsf{ExtractTrie}(\pi)$ 6. return $(K,V)\notin T_{\pi}$

Game $\mathsf{G}^{\mathrm{nmem}}_{\Pi,\mathcal{A}}(\lambda)$ : 1. $\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})$ 2. $(R,K,\pi)\leftarrow\mathcal{A}(\mathsf{pp})$ 3. $b\leftarrow\mathsf{Verify}(R,(K,\mathsf{nmem}),\pi)$ 4. if $b=0$ then return 0 5. Parse $\pi=(K^{\prime},V^{\prime},\mathrm{Path})$ 6. return $K=K^{\prime}$

Game $\mathsf{G}^{\mathrm{multi}}_{\Pi,\mathcal{A}}(\lambda)$ : 1. $\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})$ 2. $(R,\{(K_{i},V_{i})\}_{i=1}^{m},\pi)\leftarrow\mathcal{A}(\mathsf{pp})$ 3. $b\leftarrow\mathsf{Verify}(R,(\{(K_{i},V_{i})\},\mathsf{multi}),\pi)$ 4. if $b=0$ then return 0 5. for $i=1$ to $m$ do 6. $\pi_{i}\leftarrow\mathsf{ExtractSingleProof}(\pi,i)$ 7. $T_{\pi_{i}}\leftarrow\mathsf{ExtractTrie}(\pi_{i})$ 8. if $(K_{i},V_{i})\notin T_{\pi_{i}}$ then return 1 9. return 0

Game $\mathsf{G}^{\mathrm{lb}}_{\Pi,\mathcal{A}}(\lambda)$ : 1. $\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})$ 2. $(R,Q,K_{r},V_{r},\pi)\leftarrow\mathcal{A}(\mathsf{pp})$ 3. $b\leftarrow\mathsf{Verify}(R,(Q,K_{r},V_{r},\mathsf{lb}),\pi)$ 4. if $b=0$ then return 0 5. Parse $\pi=(Q,\mathrm{Path},K^{\prime},V^{\prime},v^{\prime},\mathrm{Adj},K_{r},V_{r})$ 6. $K^{*}\leftarrow\mathsf{ComputeLB}(\pi)$ 7. return $K_{r}\neq K^{*}$

Game $\mathsf{G}^{\mathrm{range}}_{\Pi,\mathcal{A}}(\lambda)$ : 1. $\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})$ 2. $(R,\mathsf{first},\mathsf{last},\mathsf{entries},\pi)\leftarrow\mathcal{A}(\mathsf{pp})$ 3. $b\leftarrow\mathsf{Verify}(R,([\mathsf{first},\mathsf{last}),\mathsf{entries},\mathsf{range}),\pi)$ 4. if $b=0$ then return 0 5. $r_{L}\leftarrow\mathsf{ComputeRank}(\pi.\pi^{L}_{\mathrm{lb}})$ 6. $r_{R}\leftarrow\mathsf{ComputeRank}(\pi.\pi^{R}_{\mathrm{lb}})$ 7. return $|\mathsf{entries}|\neq r_{R}-r_{L}$

Figure 10: Security games for Mhot proof system soundness. In the membership game

\mathsf{G}^{\mathrm{mem}}

, the adversary wins if verification accepts but

(K,V)\notin T_{\pi}

, where

\mathsf{ExtractTrie}

reconstructs the partial trie from the proof (see Definition 15). In the non-membership game

\mathsf{G}^{\mathrm{nmem}}

, the adversary wins if the reached leaf equals the query key. In

\mathsf{G}^{\mathrm{lb}}

\mathsf{ComputeLB}(\pi)

derives the correct lower bound from the authenticated structure.

Definition 15 (Trie Extraction from Proof).

The function $\mathsf{ExtractTrie}(\pi)$ reconstructs the partial trie structure implied by a proof $\pi=(K,V,v_{\mathrm{leaf}},\mathrm{Path})$ . For each path entry $\mathrm{Path}[i]=(j_{i},M_{i},S_{i},L_{i},\eta_{i},v_{i},\Pi^{\mathrm{CMR}}_{i})$ , the function constructs node $N_{i}$ with extraction masks $M_{i}$ , sparse keys $S_{i}$ , leaf counts $L_{i}$ , and child hashes from $\Pi^{\mathrm{CMR}}_{i}$ . The leaf node $\ell=(K,V,v_{\mathrm{leaf}})$ has hash $h_{\ell}=H_{\mathrm{leaf}}(K\parallel V\parallel v_{\mathrm{leaf}})$ . The returned partial trie $T_{\pi}$ is uniquely determined by $\pi$ ’s hash chain; by Lemma 10, any trie $T$ with $\mathsf{Commit}(T)=R$ must contain this structure.

Remark 12 (Game Formulation).

Our game formulation avoids the circular dependency of checking against an externally-defined $T_{R}$ . Instead, the winning condition is defined in terms of the trie structure implied by the proof itself. Since verification reconstructs the root hash from the proof, any accepting proof implicitly defines a (partial) trie structure. By Lemma 10, this structure is uniquely determined (up to collision probability) by the root commitment $R$ .

Definition 16 (Single-Proof Extraction).

The function $\mathsf{ExtractSingleProof}(\pi,i)$ extracts a valid single-point membership proof for the $i$ -th entry from a multi-point proof $\pi=(\mathrm{Entries},\mathrm{Levels})$ . It retrieves entry $(K_{i},V_{i},v_{i})$ from $\mathrm{Entries}$ , traces the path from root to $K_{i}$ by routing through nodes in $\mathrm{Levels}$ , and for each node extracts from the compact multiproof $\Pi^{\mathrm{CMR}}_{J}$ the sibling hashes needed to verify $K_{i}$ ’s child position. The output is a single-point proof $\pi_{i}=(K_{i},V_{i},v_{i},\mathrm{Path}_{i})$ .

Definition 17 (Rank Computation).

The function $\mathsf{ComputeRank}(\pi_{\mathrm{lb}})$ computes the rank of a key from its lower bound proof:

\mathsf{ComputeRank}(\pi_{\mathrm{lb}})=\sum_{i=0}^{|\mathrm{Path}|-1}\sum_{j=0}^{j_{i}-1}\mathrm{Path}[i].L[j]

(17)

where $j_{i}$ is the child index at level $i$ and $L[j]$ is the leaf count of the $j$ -th child.

Definition 18 (Advantage).

For each game $\mathsf{G}$ , the adversary’s advantage is:

\mathrm{Adv}^{\mathsf{G}}_{\Pi}(\mathcal{A})\coloneqq\Pr[\mathsf{G}^{\cdot}_{\Pi,\mathcal{A}}(\lambda)=1]

(18)

where the probability is taken over the randomness of $\mathsf{Setup}$ and the internal randomness of $\mathcal{A}$ . The proof system is sound for statement type $\mathsf{G}$ if $\mathrm{Adv}^{\mathsf{G}}_{\Pi}(\mathcal{A})\leq\mathrm{negl}(\lambda)$ for all PPT $\mathcal{A}$ .

B.4 Proof of Lemma 1 (Optimistic Search Invariant)

Full Proof of Lemma 1.

We prove by strong induction on tree height $h$ .

Base case ( $h=1$ ): A height-1 trie consists of a single leaf node. Any search trivially terminates at this leaf, which vacuously agrees with the query on all (zero) discriminative bits encountered.

Inductive step: Assume the lemma holds for all tries of height $<h$ . Consider a trie $T$ of height $h$ with root node $N$ .

At node $N$ , the search algorithm computes:

d=\mathrm{dense}(K,M)=\bigoplus_{i\in\mathrm{bit\_positions}(M)}K[i]\cdot 2^{\mathrm{rank}(i,M)}

(19)

where $M$ is the extraction mask and $K[i]$ denotes the $i$ -th bit of key $K$ .

The algorithm then finds the largest index $j$ such that:

(d\land S[j])=S[j]

(20)

where $S=(S[0],S[1],\ldots,S[|N|-1])$ are the sparse partial keys sorted in ascending order.

Existence of a match: By the HOT construction invariant, $S[0]=0$ for all non-empty nodes. This holds because the leftmost subtree corresponds to keys with all extracted bits being 0 in the discriminative positions. Since $(d\land 0)=0=S[0]$ always holds, at least one matching index exists.

Deterministic selection: The search selects the largest matching $j$ , which is unique because the sparse keys are sorted. Specifically, $j=\max\{i:(d\land S[i])=S[i]\}$ is well-defined. The search then recurses into child $c_{j}$ , which is a subtrie of height $<h$ . By the inductive hypothesis, the search terminates at exactly one leaf in $c_{j}$ that agrees with $K$ on all discriminative bits in that subtrie.

Discriminative bit agreement: The selected child $c_{j}$ contains exactly those keys that match $K$ on the discriminative bits encoded in $M$ . Combined with the inductive guarantee, the final leaf $K^{\prime}$ agrees with $K$ on all discriminative bits encountered throughout the traversal. Note that $K^{\prime}$ may differ from $K$ on non-discriminative bits; membership is determined by a final equality check. ∎

B.5 Proof of Theorem 3 (Single-Point Soundness)

Theorem 13 (Single-Point Soundness — Restated).

For any PPT adversary $\mathcal{A}$ :

	$\displaystyle\mathrm{Adv}^{\mathrm{mem}}_{\Pi}(\mathcal{A})$	$\displaystyle\leq\mathrm{Adv}^{\mathrm{CR}}_{H}(\mathcal{B}_{1})$		(21)
	$\displaystyle\mathrm{Adv}^{\mathrm{nmem}}_{\Pi}(\mathcal{A})$	$\displaystyle\leq\mathrm{Adv}^{\mathrm{CR}}_{H}(\mathcal{B}_{2})$		(22)

for efficiently constructible adversaries $\mathcal{B}_{1},\mathcal{B}_{2}$ .

Proof.

We prove both membership and non-membership soundness via reduction to collision resistance.

Part 1: Membership Soundness. We construct a collision finder $\mathcal{B}_{1}$ from any adversary $\mathcal{A}$ that wins the membership game.

Algorithm 6 Collision Finder

\mathcal{B}_{1}^{\mathcal{A}}

1:Security parameter

1^{\lambda}

2:Hash collision

(x,x^{\prime})

\bot

\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})

;

(R,K,V,\pi)\leftarrow\mathcal{A}(\mathsf{pp})

4:if

\mathsf{Verify}(R,(K,V,\mathsf{mem}),\pi)=0

then return

\bot

5:end if

6:Parse

\pi=(K,V,v_{\mathrm{leaf}},\mathrm{Path})

\triangleright

Phase 1: Compute hash chain

h_{0}\leftarrow H_{\mathrm{leaf}}(K\|V\|v_{\mathrm{leaf}})

9:for

i\leftarrow|\mathrm{Path}|-1

downto

0

10:

(j_{i},M_{i},S_{i},L_{i},\eta_{i},v_{i},\Pi_{i})\leftarrow\mathrm{Path}[i]

11:

\mathrm{cmr}_{i}\leftarrow\textsc{ReconstructCMR}(h_{|\mathrm{Path}|-1-i},j_{i},\Pi_{i})

12:

h_{|\mathrm{Path}|-i}\leftarrow H(M_{i}\|S_{i}\|\mathrm{cmr}_{i}\|L_{i})

13:end for

14:

\triangleright

Phase 2: Check internal consistency

15:for

i\leftarrow 0

|\mathrm{Path}|-1

16:

\mathrm{cmr}^{\prime}_{i}\leftarrow\textsc{RecomputeCMR}(\Pi_{i})

17: if

\mathrm{cmr}_{i}\neq\mathrm{cmr}^{\prime}_{i}

and both valid then

18: return ExtractCMRCollision

(h_{|\mathrm{Path}|-1-i},j_{i},\Pi_{i})

19: end if

20:

d_{i}\leftarrow\textsc{DenseKey}(K,M_{i})

;

j^{\prime}_{i}\leftarrow\textsc{SearchSparse}(d_{i},S_{i})

21: if

j_{i}\neq j^{\prime}_{i}

then

22: return ExtractRoutingCollision

(i,\pi)

23: end if

24:end for

25:

\triangleright

Phase 3: Internal consistency at leaf level

26:

\triangleright

The proof

\pi

claims membership for

(K,V)

27:

\triangleright

Verification computes

h_{0}=H_{\mathrm{leaf}}(K\|V\|v_{\mathrm{leaf}})

28:

\triangleright

If verification passes but internal structure inconsistent, collision exists

29:if

\mathcal{A}

wins

\Rightarrow

\exists

level

i

with inconsistency then

30: return collision extracted from that level (as shown in Cases 1–3)

31:end if

32:return

\bot

\triangleright

\mathcal{A}

did not win

The auxiliary functions used in Algorithm 6 are defined as follows. $\textsc{ReconstructCMR}(h_{\mathrm{child}},j,\Pi^{\mathrm{CMR}})$ reconstructs the children Merkle root by placing $h_{\mathrm{child}}$ at position $j$ and using sibling hashes from $\Pi^{\mathrm{CMR}}$ . ExtractCMRCollision extracts a collision pair when two different child hashes produce the same CMR. $\textsc{ExtractRoutingCollision}(i,\pi)$ extracts a collision when the claimed child index differs from the computed index. $\textsc{DenseKey}(K,M)$ computes the dense partial key by extracting bits from $K$ at positions indicated by mask $M$ . $\textsc{SearchSparse}(d,S)$ returns the largest index $j$ such that $(d\land S[j])=S[j]$ .

Analysis of $\mathcal{B}_{1}$ : The key insight is that $\mathcal{B}_{1}$ does not need access to any external “authentic” trie $T_{R}$ . Instead, $\mathcal{B}_{1}$ checks for internal inconsistencies within the proof $\pi$ itself.

If $\mathcal{A}$ wins the membership game, then verification accepts but the claimed $(K,V)$ is not authentically in the trie committed by $R$ . We analyze the possible attack vectors:

Case 1: Path structure inconsistency. The proof claims child index $j_{i}$ at some level $i$ , but the routing computation from $K$ and $M_{i}$ yields $j^{\prime}_{i}\neq j_{i}$ . For verification to pass, the CMR reconstruction must place the child hash at position $j_{i}$ . However, the correct CMR for the claimed node structure would place it at $j^{\prime}_{i}$ . Since $\mathsf{Verify}$ recomputes the CMR and checks against $R$ , either:

•

The recomputed CMR differs from the authentic one (hash collision in CMR), or
•

The node content hash $H(M_{i}\parallel S_{i}\parallel\mathrm{cmr}\parallel L_{i})$ produces the same value for different inputs (collision in $H$ ).

Case 2: Leaf content forgery. The proof authenticates leaf hash $h_{\mathrm{leaf}}$ , but $(K,V)\neq(K^{\prime},V^{\prime})$ where $(K^{\prime},V^{\prime})$ is the authentic leaf content. For the hash chain to reach $R$ , we need $H_{\mathrm{leaf}}(K,V,v)=H_{\mathrm{leaf}}(K^{\prime},V^{\prime},v^{\prime})$ . If $(K,V,v)\neq(K^{\prime},V^{\prime},v^{\prime})$ , this is a collision.

Case 3: CMR forgery. The intra-node Merkle proof $\Pi^{\mathrm{CMR}}_{i}$ authenticates child $h_{\mathrm{child}}$ at position $j_{i}$ , but the authentic CMR has a different child at that position. By collision resistance of the Merkle tree, this requires a collision.

In all cases, if $\mathcal{A}$ succeeds in the membership game, $\mathcal{B}_{1}$ extracts a collision. Therefore:

\mathrm{Adv}^{\mathrm{mem}}_{\Pi}(\mathcal{A})\leq\mathrm{Adv}^{\mathrm{CR}}_{H}(\mathcal{B}_{1})

(23)

Part 2: Non-Membership Soundness. For non-membership, the proof includes the leaf $(K^{\prime},V^{\prime})$ reached by optimistic search and claims $K\neq K^{\prime}$ but both route identically.

Suppose $\mathcal{A}$ wins: verification accepts but $K\in\mathrm{keys}(T_{R})$ . By Lemma 1, optimistic search for $K$ terminates at a leaf agreeing with $K$ on all discriminative bits; when $K$ exists, this leaf is $K$ itself. The proof claims search terminates at $K^{\prime}\neq K$ .

We construct collision finder $\mathcal{B}_{2}$ in Algorithm 7.

Algorithm 7 Collision Finder

\mathcal{B}_{2}^{\mathcal{A}}

for Non-Membership

1:Security parameter

1^{\lambda}

2:Hash collision

(x,x^{\prime})

\bot

\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})

;

(R,K,\pi)\leftarrow\mathcal{A}(\mathsf{pp})

4:if

\mathsf{Verify}(R,(K,\mathsf{nmem}),\pi)=0

then return

\bot

5:end if

6:Parse

\pi=(K^{\prime},V^{\prime},v^{\prime},\mathrm{Path})

7:if

K=K^{\prime}

then return

\bot

\triangleright

Adversary failed to win

8:end if

\triangleright

Phase 1: Verify routing consistency

10:for

i\leftarrow 0

|\mathrm{Path}|-1

11:

d_{K}\leftarrow\textsc{DenseKey}(K,\mathrm{Path}[i].M)

12:

d_{K^{\prime}}\leftarrow\textsc{DenseKey}(K^{\prime},\mathrm{Path}[i].M)

13:

j_{K}\leftarrow\textsc{SearchSparse}(d_{K},\mathrm{Path}[i].S)

14:

j_{K^{\prime}}\leftarrow\textsc{SearchSparse}(d_{K^{\prime}},\mathrm{Path}[i].S)

15: if

j_{K}\neq j_{K^{\prime}}

then

16: return

\bot

\triangleright

K

routes differently, not a valid attack

17: end if

18:end for

19:

\triangleright

Phase 2: Extract collision from hash chain

20:

\triangleright

At this point:

K\neq K^{\prime}

but both route identically to same leaf position

21:

\triangleright

The proof authenticates

h=H_{\mathrm{leaf}}(K^{\prime}\|V^{\prime}\|v^{\prime})

against

R

22:

\triangleright

K

truly exists in

T_{R}

, there must be a leaf with key

K

23:

\triangleright

Two distinct leaves at same position

\Rightarrow

collision in

H

24:return ExtractLeafCollision

(\pi,K,K^{\prime})

Analysis of $\mathcal{B}_{2}$ : If $\mathcal{A}$ wins the non-membership game, then verification accepts (implying $K\neq K^{\prime}$ ) but $K$ actually exists in $T_{R}$ . By Lemma 1, optimistic search for $K$ in $T_{R}$ terminates at a leaf matching $K$ on all discriminative bits; since $K$ exists, this leaf is $K$ itself. The proof’s path authenticates leaf $(K^{\prime},V^{\prime})$ , which routes identically to $K$ .

The key insight is that $\mathcal{B}_{2}$ does not need to “know” the authentic value $(V^{*},v^{*})$ . Instead, $\mathcal{B}_{2}$ exploits the following structural argument.

Collision extraction via structural inconsistency: The proof $\pi$ authenticates a hash chain from leaf $K^{\prime}$ to root $R$ . If $K\in T_{R}$ (which must be true for $\mathcal{A}$ to win), there also exists a hash chain from leaf $K$ to the same root $R$ . Since $K\neq K^{\prime}$ but both route identically through the trie (verified in Phase 1), they must occupy the same leaf position.

•

The path $\mathrm{Path}$ commits to a unique leaf hash at each position via the CMR structure.
•

Two distinct keys at the same position implies $H_{\mathrm{leaf}}(K^{\prime}\|V^{\prime}\|v^{\prime})=H_{\mathrm{leaf}}(K\|V^{*}\|v^{*})$ for the (unknown) authentic $(V^{*},v^{*})$ .
•

Since $K\neq K^{\prime}$ , the inputs differ, constituting a collision.

The function ExtractLeafCollision formalizes this. Specifically, given $\pi$ and keys $K\neq K^{\prime}$ that route identically:

1.

The proof $\pi$ commits to a unique leaf hash $h_{\ell}$ at the terminal position.
2.

If $K$ exists in $T_{R}$ , its leaf must also have hash $h_{\ell}$ (same position, same root).
3.

Thus $H_{\mathrm{leaf}}(K^{\prime}\|V^{\prime}\|v^{\prime})=h_{\ell}=H_{\mathrm{leaf}}(K\|\cdot\|\cdot)$ .
4.

Since $K\neq K^{\prime}$ , the inputs differ, witnessing a collision.

The collision witness is $(K^{\prime}\|V^{\prime}\|v^{\prime})$ paired with the existence guarantee that some $(K\|V^{*}\|v^{*})$ hashes to the same value. In the random oracle model, this is a standard “extraction” argument; in the standard model, it suffices for the reduction.

Therefore:

\mathrm{Adv}^{\mathrm{nmem}}_{\Pi}(\mathcal{A})\leq\mathrm{Adv}^{\mathrm{CR}}_{H}(\mathcal{B}_{2})

(24)

∎

B.6 Proof of Theorem 4 (Multi-Point Soundness)

Full Proof of Theorem 4.

We reduce multi-point soundness to single-point soundness via a standard hybrid argument.

Suppose $\mathcal{A}$ wins $\mathsf{G}^{\mathrm{multi}}_{\Pi,\mathcal{A}}$ with probability $\epsilon>\mathrm{negl}(\lambda)$ . Construct $\mathcal{B}$ for $\mathsf{G}^{\mathrm{mem}}$ :

Algorithm 8 Single-Point Adversary

\mathcal{B}^{\mathcal{A}}

\mathsf{pp}\leftarrow\mathsf{Setup}(1^{\lambda})

(R,\{(K_{i},V_{i})\}_{i=1}^{m},\pi)\leftarrow\mathcal{A}(\mathsf{pp})

3:if

\mathsf{Verify}(R,(\{(K_{i},V_{i})\},\mathsf{multi}),\pi)=0

then

4: return

\bot

5:end if

i^{*}\leftarrow_{R}[1,m]

\triangleright

Uniformly random index

\pi_{i^{*}}\leftarrow\mathsf{ExtractSingleProof}(\pi,i^{*})

8:return

(R,K_{i^{*}},V_{i^{*}},\pi_{i^{*}})

Extraction of single-point proofs. The multi-point proof $\pi=(\mathrm{Entries},\mathrm{Levels})$ contains sufficient information to reconstruct a valid single-point proof $\pi_{i}$ for each $(K_{i},V_{i})$ :

•

The entry $(K_{i},V_{i},v_{i})$ from $\mathrm{Entries}$ .
•

The path from root to leaf $K_{i}$ , determined by routing $K_{i}$ through the nodes in $\mathrm{Levels}$ .
•

For each node, the compact multiproof $\Pi^{\mathrm{CMR}}_{J}$ contains sufficient sibling hashes to verify any individual child $j\in J$ .

Probability analysis. If $\mathcal{A}$ wins, then $\exists\,i^{*}:(K_{i^{*}},V_{i^{*}})\notin T_{R}$ . Let $I=\{i:(K_{i},V_{i})\notin T_{R}\}$ be the set of “bad” indices. Conditioned on $\mathcal{A}$ winning, $|I|\geq 1$ .

The probability that $\mathcal{B}$ ’s random choice $i^{*}$ falls in $I$ is:

\Pr[i^{*}\in I\mid\mathcal{A}\text{ wins}]\geq\frac{1}{m}

(25)

Therefore:

\mathrm{Adv}^{\mathrm{mem}}_{\Pi}(\mathcal{B})\geq\frac{\epsilon}{m}

(26)

By Theorem 13, $\mathrm{Adv}^{\mathrm{mem}}_{\Pi}(\mathcal{B})\leq\mathrm{negl}(\lambda)$ . Since $m\leq|\pi|\leq\mathrm{poly}(\lambda)$ (the number of entries is bounded by proof size):

\epsilon\leq m\cdot\mathrm{negl}(\lambda)=\mathrm{negl}(\lambda)

(27)

Security of path sharing. Path sharing does not weaken security because each shared node is verified with the same rigor as in independent proofs. The compact multiproof $\Pi^{\mathrm{CMR}}_{J}$ for child set $J$ authenticates all children $\{c_{j}:j\in J\}$ against a single CMR. Any forgery in one key’s proof would produce an inconsistency detectable by single-point verification. ∎

B.7 Proof of Lemma 5 (Lower Bound Correctness)

Full Proof of Lemma 5.

We prove by case analysis on the relationship between query $Q$ and the leaf $K^{\prime}$ reached by optimistic search.

Let $d=\mathrm{diffbit}(Q,K^{\prime})$ denote the first bit position where $Q$ and $K^{\prime}$ differ. If $K^{\prime}=Q$ , then $d=\infty$ (no differing bit).

Case 1: Exact Match ( $K^{\prime}=Q$ ). The search terminates at a leaf with key $K^{\prime}=Q$ . Since $Q$ exists in the trie, $\mathrm{lb}(Q)=Q=K^{\prime}$ . The algorithm correctly returns $K^{\prime}$ .

Case 2: Overshot ( $Q[d]=0,K^{\prime}[d]=1$ ). The query $Q$ has bit 0 at position $d$ , while $K^{\prime}$ has bit 1. Any key with bit pattern matching $Q$ ’s prefix up to position $d-1$ and having bit 1 at position $d$ is lexicographically greater than $Q$ .

At fork depth $f$ , the HOT search entered a subtree $S_{f}$ rooted at a node where the discriminative bit at position $d$ directed the search into the “right” branch (bit 1). By the key distribution property of HOT, all keys in $S_{f}$ have bit 1 at position $d$ , hence all keys in $S_{f}$ satisfy $K>Q$ .

The lower bound is the minimum key in $S_{f}$ . To find this minimum, the algorithm descends from the fork point always taking the leftmost child (child index 0), reaching the leftmost leaf in $S_{f}$ .

Correctness: Let $K_{\min}$ be the leftmost leaf in $S_{f}$ . By the sparse key ordering (Definition 3), children with smaller indices contain lexicographically smaller keys. Thus $K_{\min}\leq K$ for all $K\in S_{f}$ . Since all keys in $S_{f}$ are $>Q$ , and $K_{\min}$ is the smallest such key, $\mathrm{lb}(Q)=K_{\min}$ .

Case 3: Undershot ( $Q[d]=1,K^{\prime}[d]=0$ ). The query $Q$ has bit 1 at position $d$ , while $K^{\prime}$ has bit 0. All keys in the subtree containing $K^{\prime}$ have bit 0 at position $d$ , so they are lexicographically less than $Q$ .

The algorithm must find a right sibling at the fork point. Let $f$ be the fork depth. The search path at depth $f$ took child $c_{j}$ . The algorithm examines siblings $c_{j+1},c_{j+2},\ldots$ to find the first sibling whose subtree contains keys $\geq Q$ .

Correctness: By the HOT sparse key ordering, children with larger indices correspond to lexicographically larger key ranges (within the discriminative bits). The first right sibling $c_{j^{\prime}}$ (where $j^{\prime}>j$ ) that exists contains keys that:

1.

Share the same prefix as $Q$ up to the discriminative bits extracted before depth $f$ .
2.

Have a larger sparse partial key than $c_{j}$ , implying lexicographically larger keys.

The minimum key in $c_{j^{\prime}}$ ’s subtree is found by leftmost descent, yielding $\mathrm{lb}(Q)$ .

If no right sibling exists at depth $f$ , the algorithm backtracks to depth $f-1$ and repeats. This process continues until finding a right sibling or determining that no key $\geq Q$ exists (returning $\bot$ ). ∎

B.8 Proof of Theorem 6 (Lower Bound Soundness)

Full Proof of Theorem 6.

We reduce lower bound soundness to collision resistance.

Suppose $\mathcal{A}$ wins $\mathsf{G}^{\mathrm{lb}}_{\Pi,\mathcal{A}}$ with probability $\epsilon>\mathrm{negl}(\lambda)$ . This means $\mathcal{A}$ produces $(R,Q,K_{r},V_{r},\pi)$ such that:

•

$\mathsf{Verify}(R,(Q,K_{r},V_{r},\mathsf{lb}),\pi)=1$
•

$K_{r}\neq K^{*}$ where $K^{*}$ is the true lower bound computable from $\pi$ ’s authenticated structure

Parse the proof as $\pi=(Q,\mathrm{Path},K^{\prime},V^{\prime},v^{\prime},\mathrm{Adj},K_{r},V_{r})$ .

The verification algorithm performs four checks:

Check 1: Path integrity. $\mathrm{Path}$ must authenticate $(K^{\prime},V^{\prime})$ against $R$ via bottom-up hash reconstruction. By Theorem 13, if this check passes, $(K^{\prime},V^{\prime})$ is in the trie committed by $R$ with overwhelming probability.

Check 2: Search consistency. Both $Q$ and $K^{\prime}$ must route identically through $\mathrm{Path}$ . The verifier recomputes $\mathrm{dense}(Q,M_{i})$ and $\mathrm{dense}(K^{\prime},M_{i})$ at each node and checks they select the same child. This confirms $K^{\prime}$ is the leaf that optimistic search reaches for $Q$ .

Check 3: Fork depth correctness. The verifier independently computes the fork depth $f$ from the authenticated extraction masks:

f=\max\{i:d\in\mathrm{disc\_bits}(\mathrm{Path}[i].M)\}

(28)

where $d=\mathrm{diffbit}(Q,K^{\prime})$ .

Crucially, the extraction masks $M_{i}$ are committed in the node content hash (Definition 2). The adversary cannot claim a different $f$ without providing different masks, which would change the node hash and cause root mismatch.

Check 4: Structural minimality. For the claimed result $(K_{r},V_{r})$ to differ from $\mathrm{lb}(Q)$ while passing verification, the adjustment path $\mathrm{Adj}$ must violate the minimality constraints.

Sub-case 4a: Overshot case with non-leftmost descent. The verifier checks that every entry in AdjPath has child index 0. If the adversary claims index $j>0$ at some level but the authentic leftmost child differs, the CMR reconstruction will fail unless a collision exists.

Sub-case 4b: Undershot case with incorrect sibling. The verifier checks that the first adjustment entry is the immediate right sibling at the fork point. The authentic right sibling is determined by the sparse keys $S$ committed in the fork node’s content hash. Any discrepancy requires forging either the sparse keys (changing node hash) or the CMR (collision).

Sub-case 4c: Adjustment path leads to wrong leaf. If $\mathrm{Adj}$ leads to $(K_{r},V_{r})\neq\mathrm{lb}(Q)$ but verification passes, the hash chain from $K_{r}$ must match the chain from the authentic lower bound. By Lemma 10, this implies a collision.

Conclusion. In all cases, $\mathcal{A}$ winning implies a hash collision is extractable. We construct $\mathcal{B}$ that runs $\mathcal{A}$ , checks each verification step, and extracts a collision from any inconsistency:

\mathrm{Adv}^{\mathrm{lb}}_{\Pi}(\mathcal{A})\leq\mathrm{Adv}^{\mathrm{CR}}_{H}(\mathcal{B})\leq\mathrm{negl}(\lambda)

(29)

∎

B.9 Proof of Lemma 7 (Rank Computation)

Full Proof of Lemma 7.

We prove by induction on path depth.

Claim: For a key $K$ with search path $(\mathrm{path}[0],\ldots,\mathrm{path}[h-1])$ , where $\mathrm{path}[i].\mathrm{child\_idx}=j_{i}$ :

\mathrm{rank}(K)=\sum_{i=0}^{h-1}\sum_{j=0}^{j_{i}-1}\mathrm{lc}(\mathrm{path}[i].\mathrm{children}[j])

(30)

Base case ( $h=1$ ): A single-node trie contains one leaf. The path is trivial with $j_{0}=0$ (only one child). The sum is empty, yielding $\mathrm{rank}(K)=0$ . This is correct, as the only key has no predecessors.

Inductive step: Assume the formula holds for tries of height $<h$ . Consider a trie $T$ of height $h$ with root $N$ .

The search for $K$ at root $N$ selects child $c_{j_{0}}$ (where $j_{0}=\mathrm{path}[0].\mathrm{child\_idx}$ ). Within subtrie $c_{j_{0}}$ , the search continues with path $(\mathrm{path}[1],\ldots,\mathrm{path}[h-1])$ .

Key observation: Sparse key ordering. By HOT construction, children of a node are ordered by their sparse partial keys. If $j<j^{\prime}$ , then all keys in child $c_{j}$ ’s subtree are lexicographically smaller than all keys in $c_{j^{\prime}}$ ’s subtree. This follows from the fact that sparse partial keys encode the discriminative bit patterns, which determine lexicographic ordering.

Counting keys smaller than $K$ : The keys smaller than $K$ in $T$ consist of:

1.

All keys in children $c_{0},c_{1},\ldots,c_{j_{0}-1}$ of the root.
2.

Keys smaller than $K$ within child $c_{j_{0}}$ ’s subtree.

The count from (1) is:

\sum_{j=0}^{j_{0}-1}\mathrm{lc}(c_{j})

(31)

where $\mathrm{lc}(c_{j})$ is the leaf count of subtree $c_{j}$ , stored in the node’s $L$ field and committed in the content hash.

The count from (2) is $\mathrm{rank}_{c_{j_{0}}}(K)$ , the rank of $K$ within the subtrie rooted at $c_{j_{0}}$ . By the inductive hypothesis:

\mathrm{rank}_{c_{j_{0}}}(K)=\sum_{i=1}^{h-1}\sum_{j=0}^{j_{i}-1}\mathrm{lc}(\mathrm{path}[i].\mathrm{children}[j])

(32)

Combining:

	$\displaystyle\mathrm{rank}_{T}(K)$	$\displaystyle=\sum_{j=0}^{j_{0}-1}\mathrm{lc}(c_{j})+\sum_{i=1}^{h-1}\sum_{j=0}^{j_{i}-1}\mathrm{lc}(\mathrm{path}[i].\mathrm{children}[j])$		(33)
		$\displaystyle=\sum_{i=0}^{h-1}\sum_{j=0}^{j_{i}-1}\mathrm{lc}(\mathrm{path}[i].\mathrm{children}[j])$		(34)

which completes the induction. ∎

B.10 Proof of Theorem 8 (Range Soundness)

Theorem 14 (Range Soundness — Restated).

For any PPT adversary $\mathcal{A}$ :

\mathrm{Adv}^{\mathrm{range}}_{\Pi}(\mathcal{A})\leq 2\cdot\mathrm{Adv}^{\mathrm{lb}}_{\Pi}+\mathrm{Adv}^{\mathrm{multi}}_{\Pi}+\mathrm{negl}(\lambda)

(35)

Full Proof.

We prove via a sequence of games, following the standard game-based methodology. Each transition is classified according to the three canonical types: (1) indistinguishability-based, (2) failure-event-based with Difference Lemma, or (3) bridging steps.

Game 0: Original range soundness game. This is $\mathsf{G}^{\mathrm{range}}_{\Pi,\mathcal{A}}$ as defined. Let $S_{0}$ denote the event that $\mathcal{A}$ wins.

Game 0 $\to$ Game 1: Abort on boundary proof failure. [Type 2: Failure Event Transition]

Game 1 is identical to Game 0, except we abort (adversary loses) if either boundary proof $\pi^{L}_{\mathrm{lb}}$ or $\pi^{R}_{\mathrm{lb}}$ would fail independent verification.

Failure event definition: Let $F_{1}$ be the event that Game 0 accepts but one of the boundary proofs is unsound (i.e., claims an incorrect lower bound). Formally, $F_{1}$ occurs when:

•

$\mathsf{Verify}(R,(\mathsf{first},K^{L}_{r},V^{L}_{r},\mathsf{lb}),\pi^{L}_{\mathrm{lb}})=1$ but $K^{L}_{r}\neq\mathrm{lb}(\mathsf{first})$ , or
•

$\mathsf{Verify}(R,(\mathsf{last},K^{R}_{r},V^{R}_{r},\mathsf{lb}),\pi^{R}_{\mathrm{lb}})=1$ but $K^{R}_{r}\neq\mathrm{lb}(\mathsf{last})$ .

Difference Lemma application: Games 0 and 1 proceed identically unless $F_{1}$ occurs. Formally, $S_{0}\land\lnot F_{1}\Leftrightarrow S_{1}\land\lnot F_{1}$ . By the Difference Lemma:

|Pr[S_{0}]-Pr[S_{1}]|\leq Pr[F_{1}]

(36)

Bounding $Pr[F_{1}]$ : By Theorem 6, each boundary proof has soundness error at most $\mathrm{Adv}^{\mathrm{lb}}_{\Pi}$ . By a union bound over the two boundary proofs:

\Pr[F_{1}]\leq 2\cdot\mathrm{Adv}^{\mathrm{lb}}_{\Pi}

(37)

Game 1 $\to$ Game 2: Abort on multi-proof failure. [Type 2: Failure Event Transition]

Game 2 is identical to Game 1, except we abort if $\pi_{\mathrm{multi}}$ would fail independent verification (i.e., some claimed entry is not in $T_{R}$ ).

Failure event: Let $F_{2}$ be the event that the multi-proof passes verification but $\exists\,i:(K_{i},V_{i})\notin T_{R}$ .

Difference Lemma application: $S_{1}\land\lnot F_{2}\Leftrightarrow S_{2}\land\lnot F_{2}$ . By the Difference Lemma and Theorem 4:

|Pr[S_{1}]-Pr[S_{2}]|\leq Pr[F_{2}]\leq\mathrm{Adv}^{\mathrm{multi}}_{\Pi}

(38)

Game 2 $\to$ Game 3: Honest verification. [Type 3: Bridging Step]

In Game 2, all sub-proofs are sound (conditioned on $\lnot F_{1}\land\lnot F_{2}$ ). Game 3 is a conceptual restatement where we analyze what “honest verification” implies. This is a purely logical transition with $Pr[S_{2}]=Pr[S_{3}]$ .

Analysis of Game 3: Information-theoretic argument.

In Game 3, conditioned on all sub-proofs being sound, the verifier computes:

	$\displaystyle r_{L}$	$\displaystyle=\mathrm{rank}(\mathsf{first})\quad\text{(from }\pi^{L}_{\mathrm{lb}}\text{)}$		(39)
	$\displaystyle r_{R}$	$\displaystyle=\mathrm{rank}(\mathsf{last})\quad\text{(from }\pi^{R}_{\mathrm{lb}}\text{)}$		(40)

using the authenticated leaf count fields.

By Lemma 7, these ranks are computed correctly from the Merkle-committed paths. The expected entry count is $r_{R}-r_{L}$ .

The verifier checks $|\mathsf{entries}|=r_{R}-r_{L}$ and that all entries are in range $[\mathsf{first},\mathsf{last})$ with correct ordering.

Omission attack prevention: Suppose $|\mathsf{entries}|<|E^{*}|$ where $E^{*}$ is the true set of entries in $[\mathsf{first},\mathsf{last})$ . Since the boundary proofs are sound (by conditioning on $\lnot F_{1}$ ), the ranks $r_{L},r_{R}$ are correct. By definition, $|E^{*}|=r_{R}-r_{L}$ . Thus $|\mathsf{entries}|<r_{R}-r_{L}$ , and the count check fails.

Insertion attack prevention: Suppose $\mathsf{entries}$ contains an entry $(K_{i},V_{i})$ where either $K_{i}\notin[\mathsf{first},\mathsf{last})$ or $(K_{i},V_{i})\notin T_{R}$ . The ordering check rejects if $K_{i}\notin[\mathsf{first},\mathsf{last})$ . By conditioning on $\lnot F_{2}$ , all $(K_{i},V_{i})\in T_{R}$ . Including extra (valid but out-of-range) entries is impossible due to the ordering check. Including exactly $r_{R}-r_{L}$ entries, all in range and in the trie, forces $\mathsf{entries}=E^{*}$ . Therefore, $Pr[S_{3}]=0$ (adversary cannot win Game 3).

Combining the transitions. We now combine all game transitions using the triangle inequality. Let $\epsilon_{\mathrm{lb}}=\mathrm{Adv}^{\mathrm{lb}}_{\Pi}$ and $\epsilon_{\mathrm{multi}}=\mathrm{Adv}^{\mathrm{multi}}_{\Pi}$ .

$\displaystyle\mathrm{Adv}^{\mathrm{range}}_{\Pi}(\mathcal{A})$	$\displaystyle=Pr[S_{0}]$	(41)
	$\displaystyle\leq Pr[S_{1}]+\|Pr[S_{0}]-Pr[S_{1}]\|$	(42)
	$\displaystyle\leq Pr[S_{1}]+2\epsilon_{\mathrm{lb}}$	(43)
	$\displaystyle\leq Pr[S_{2}]+\|Pr[S_{1}]-Pr[S_{2}]\|+2\epsilon_{\mathrm{lb}}$	(44)
	$\displaystyle\leq Pr[S_{2}]+\epsilon_{\mathrm{multi}}+2\epsilon_{\mathrm{lb}}$	(45)
	$\displaystyle=Pr[S_{3}]+\epsilon_{\mathrm{multi}}+2\epsilon_{\mathrm{lb}}$	(46)
	$\displaystyle=0+\epsilon_{\mathrm{multi}}+2\epsilon_{\mathrm{lb}}$	(47)
	$\displaystyle=2\cdot\mathrm{Adv}^{\mathrm{lb}}_{\Pi}+\mathrm{Adv}^{\mathrm{multi}}_{\Pi}$	(48)
	$\displaystyle\leq\mathrm{negl}(\lambda)$	(49)

The final inequality holds since both $\mathrm{Adv}^{\mathrm{lb}}_{\Pi}$ and $\mathrm{Adv}^{\mathrm{multi}}_{\Pi}$ are negligible by Theorems 6 and 4. ∎

B.11 Security Summary

Table 5: Summary of security reductions.

Property	Reduces To	Bound	Tightness
Commitment binding	CR	$\epsilon_{\mathrm{CR}}$	Direct
Single-point soundness	CR	$\epsilon_{\mathrm{CR}}$	Direct
Non-membership soundness	CR	$\epsilon_{\mathrm{CR}}$	Direct
Multi-point soundness	Single-point	$m\cdot\epsilon_{\mathrm{CR}}$	Factor $m$
Lower bound soundness	CR	$\epsilon_{\mathrm{CR}}$	Direct
Range soundness	LB + Multi	$(m{+}2)\cdot\epsilon_{\mathrm{CR}}$	Factor $m{+}2$

All Mhot proofs achieve computational soundness under the collision resistance assumption for the underlying hash function. The reductions are tight or near-tight (with polynomial loss bounded by the number of entries), ensuring that concrete security level matches that of the hash function.

Theorem 15 (Main Security Theorem).

Let $H$ be a collision-resistant hash function with advantage bound $\epsilon_{\mathrm{CR}}$ against $\tau$ -time adversaries. Then the Mhot proof system is sound for all statement types against $\tau^{\prime}$ -time adversaries, where:

•

$\tau^{\prime}\approx\tau-O(\mathrm{poly}(\lambda))$ (polynomial overhead for proof verification and reduction)
•

Soundness advantage $\leq(m+2)\cdot\epsilon_{\mathrm{CR}}$ for proofs involving $m$ entries

In particular, for single-point proofs the reduction is tight ( $\epsilon^{\prime}=\epsilon_{\mathrm{CR}}$ ).

Proof.

Follows directly from combining Lemma 10 and Theorems 13, 4, 6, and 14. ∎

Mhot: Height-Optimized Authenticated Data Structure for Blockchain State Commitment

Abstract

1 Introduction

2 Why Existing Solutions Fail

2.1 The MPT Limitation

2.2 The Span–Proof Trade-off

3 Key Primitives

3.1 Authenticated Data Structures

3.2 Height-Optimized Trie

4 Persistent Authentication for HOT

4.1 Design Requirements

4.2 Content-Addressable Persistence

4.3 Hierarchical Proof

4.4 Batch Commit Pipeline

4.5 Storage Optimizations

5 Proof Mechanisms

5.1 Two-Layer Merkle Architecture

Definition 1 (Children Merkle Root).

Definition 2 (Node Content Hash).

Definition 3 (Node Proof Entry).

5.2 Single-Point Proofs

Lemma 1 (HOT Optimistic Search Invariant).

Proof sketch (Lemma 1).

Corollary 2 (Proof Unification).

Theorem 3 (Single-Point Soundness).

Proof sketch (Theorem 3).

5.3 Multi-Point Membership Proof

Definition 4 (Compact Merkle Multiproof).

Theorem 4 (Multi-Proof Soundness).

Proof sketch (Theorem 4).

5.4 Lower Bound Proof

Definition 5 (Lower Bound Query).

Definition 6 (Lower Bound Proof).

Definition 7 (Fork Depth).

Lemma 5 (Lower Bound Correctness).

Proof sketch (Lemma 5).

Theorem 6 (Lower Bound Soundness).

Proof sketch (Theorem 6).

5.5 Range Proof

Definition 8 (Range Query).

Definition 9 (HOT Range Proof).

Definition 10 (Rank).

Lemma 7 (Rank Computation from Path).

Proof sketch (Lemma 7).

Theorem 8 (Range Proof Soundness).

Proof sketch (Theorem 8).

6 Evaluation

6.1 Experimental Setup

6.2 Write Throughput (Figure 4)

6.3 Write Amplification (Figure 5)

6.4 Tree Height Analysis (Figure 6)

6.5 Proof Size and Latency

6.6 Nurgle Attack Resistance

7 Discussion

7.1 Scope and Complementary Mitigations

7.2 Future Directions

8 Related Work

9 Conclusion

References

Appendix A Notations (Table 4)

Appendix B Formal Security Proofs

B.1 Cryptographic Preliminaries

Definition 11 (Security Parameter).

Definition 12 (Collision-Resistant Hash Function).

Lemma 9 (Difference Lemma [shoup2004sequences]).

Proof.

B.2 Mhot Proof System Formalization

Definition 13 (Mhot Proof System).

Definition 14 (Statement Types).

Lemma 10 (Commitment Binding).

Proof.

Corollary 11 (Unique Preimage).

B.3 Security Games

Definition 15 (Trie Extraction from Proof).

Remark 12 (Game Formulation).

Definition 16 (Single-Proof Extraction).

Definition 17 (Rank Computation).

Definition 18 (Advantage).

B.4 Proof of Lemma 1 (Optimistic Search Invariant)

Full Proof of Lemma 1.

Mhot: Height-Optimized Authenticated Data Structure
for Blockchain State Commitment